What is PRISMEX malware ?

PRISMEX is APT28's modular suite using steganography in images, COM hijacking for persistence, and cloud services for C2—deployed via zero-day chains against Ukraine and NATO targets.

How does APT28 exploit CVE-2026-21509 and CVE-2026-21513?

CVE-2026-21509 fetches a malicious LNK; that exploits CVE-2026-21513 to silently run payloads, bypassing alerts in a chained attack.

Does PRISMEX only spy or also destroy?

It steals (Outlook data) but packs wiper potential—seen wiping user profiles in tests, hinting at sabotage alongside espionage.

🌐 Nation-State Threats

APT28's PRISMEX: Zero-Days and Hidden Payloads Assault Ukraine's Lifelines

Exactly two weeks before Microsoft patched it, APT28 had servers primed for CVE-2026-21509. This isn't random phishing—it's a precision strike on Ukraine's war machine and its allies.

theAIcatchup Apr 08, 2026 4 min read

Diagram of APT28 PRISMEX malware attack chain targeting Ukraine logistics and NATO partners

⚡ Key Takeaways

APT28 weaponized zero-days two weeks pre-disclosure, chaining CVE-2026-21509 and CVE-2026-21513 for silent execution. 𝕏
PRISMEX hides payloads in PNGs via custom steganography, uses COM hijacking, and legitimate clouds for stealthy C2. 𝕏
Targets Ukraine's defense logistics and NATO allies signal hybrid warfare prep—espionage today, disruption tomorrow. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#APT28 #PRISMEX malware #steganography #zero-day exploits

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Pawn Storm's PRISMEX: Hiding in Emails to Gut Ukraine's Defenses

Fancy Bear's Router Hijack: 5,000 Devices Fueling Russia's Fake News Blitz

Russia's Router Spies Hit 18,000 Devices — Feds Finally Unplug the Mess

FBI Crushes GRU's Router Snooping Scheme: DNS Tricks and Hacked Home Gear Exposed

Stay in the loop