INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Fancy Bear APT Continues Global Onslaught
| 2026-04-09 20:50 CRITICAL HIGHExecutive Summary AI-generated
The threat landscape is increasingly complex, with multiple actors and tactics on the rise. Fancy Bear, a cyber-espionage group believed to be operating at the behest of Russian military intelligence, continues its global onslaught. The group has been targeting governments and organizations for years, including in 2016, and has also been linked to US election interference. Recent incidents have highlighted Pawn Storm's adaptability and effectiveness, with malware components known as "Prismex" used to target the defense supply-chain of Ukraine and its allies. This has led to warnings from security vendors about the group's use of social engineering and phishing tactics, as well as sophisticated credential theft campaigns involving critical vulnerabilities. The threat actor remains a significant concern, with multiple reports suggesting Pawn Storm is linked to GRU networks compromised by SOHO routers used for malicious DNS hijacking operations.
Technical Mitigations AI-generated
* Implement a robust security patching strategy to address known vulnerabilities, including Windows zero-days and patched Outlook vulnerabilities.
* Use cloud security solutions that include DNS hijacking protection and malware detection to minimize the impact of Pawn Storm's PRISMEX malware on critical infrastructure.
* Conduct regular vulnerability assessments and penetration testing to identify potential entry points for Pawn Storm's attacks.
* Educate users about spear-phishing tactics, such as phishing emails with malicious attachments or links, and provide training on how to recognize and report suspicious activity.
* Implement a multi-factor authentication (MFA) policy that requires strong passwords and two-factor authentication whenever possible to prevent Pawn Storm from gaining unauthorized access.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation NeusploitOperation NeusploitCampaign Targeting UkraineCampaign Targeting Ukraine
APT28APT28
Medusa RansomwareMedusa RansomwareDenisDenis
CVE-2026-21513CVE-2026-21513
CVE-2023-50224CVE-2023-50224
CVE-2026-21509CVE-2026-21509
CVE-2023-23397CVE-2023-23397
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
April 2022
Russia's Forest Blizzard exploited SOHO routers to gain unauthorized access and steal logins.
Click on any entity below to view its context and source!
target_region
Russian Federation
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
organisation
Forest Blizzard Nabs Rafts
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
organisation
SOHO
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
November 2023
Russia's Forest Blizzard exploited multiple Windows vulnerabilities to gain unauthorized access.
Click on any entity below to view its context and source!
target_region
Russian Federation
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
organisation
Forest Blizzard Nabs Rafts
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
organisation
SOHO
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
threat_actor
APT28
Between these campaigns and APT28's
alleged router attacks
reported by governments around the world, APT28's influence remains unmistakable.
infrastructure
Windows
Two Fancy Bear Campaigns
Prismex leverages multiple Windows vulnerabilities, Trend Micro said
in its late March blog post
, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509.
organisation
CVE-2026
Two Fancy Bear Campaigns
Prismex leverages multiple Windows vulnerabilities, Trend Micro said
in its late March blog post
, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509.
organisation
Microsoft Office
Two Fancy Bear Campaigns
Prismex leverages multiple Windows vulnerabilities, Trend Micro said
in its late March blog post
, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509.
at least 2024
Russia's GRU actors used compromised devices to introduce attacker-controlled DNS resolvers and set up adversary-in-the-middle attacks against encrypted traffic.
late February 2025
Threat actors used a Microsoft Shortcut (LNK) exploit to weaponize CVE-2026-21513 as a zero-day vulnerability in Windows.
Click on any entity below to view its context and source!
threat_actor
APT28
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
vulnerability
CVE-2026-21513
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
infrastructure
Windows
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
Akamai
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
Microsoft Shortcut
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
VirusTotal
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
late 2025
PrismexStager is assessed to be an expansion of MiniDoor and NotDoor, a Microsoft Outlook backdoor deployed by the hacking group in late 2025.
June 2025
Threat actors used COVENANT, an open-source command-and-control framework.
Click on any entity below to view its context and source!
target_region
Ukraine
APT28's use of
COVENANT
, an open-source command-and-control (C2) framework, was first highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
threat_actor
APT28
APT28's use of
COVENANT
, an open-source command-and-control (C2) framework, was first highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
attribution
the Computer Emergency Response Team of Ukraine
APT28's use of
COVENANT
, an open-source command-and-control (C2) framework, was first highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
attribution
CERT-UA
APT28's use of
COVENANT
, an open-source command-and-control (C2) framework, was first highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
at least September 2025
Threat actors used malware to gain unauthorized access to compromised systems.
September 2025
APT28, a threat actor linked to Russia's GRU, continues its global onslaught by leveraging various techniques including DNS hijacking networks and exploiting vulnerabilities such as CVE-2023-23397.
Click on any entity below to view its context and source!
threat_actor
APT28
This matches the more recent MO of APT28, which has included both espionage and more destructive threat activity.
Later in 2023, APT28 engaged in credential-targeting phishing campaigns against European government entities.
For these, APT28 leveraged critical (patched) Outlook vulnerability CVE-2023-23397.
To anonymize itself, APT28 leveraged VPNs, Tor, data center IP addresses, and compromised EdgeOS routers.
Whether they're a small organization or even a reasonably resourced government, it's hard to match a 20-year APT leveraging the full weight of the GRU.
Denis Calderone, CTO and principal of Suzu Labs, tells Dark Reading that such a question assumes one has to match APT28's level of sophistication, and the answer is, he says, "You don't."
The honest caveat is that if those basics fail and APT28 gets inside, a small org without dedicated security operations is going to have a very hard time catching them.
organisation
CVE-2023-23397
For these, APT28 leveraged critical (patched) Outlook vulnerability CVE-2023-23397.
organisation
Tor
To anonymize itself, APT28 leveraged VPNs, Tor, data center IP addresses, and compromised EdgeOS routers.
organisation
IP
To anonymize itself, APT28 leveraged VPNs, Tor, data center IP addresses, and compromised EdgeOS routers.
organisation
ClickFix
Before that, it's much of the same trickery security professionals see from anyone: phishing emails, ClickFix prompts, exploiting weak credentials, and so on.
organisation
NATO
"Another lesson here is that Pawn Storm targets not only high-profile entities like NATO and the ministries of defense of Western countries but also targets that might be perceived as smaller fish, such as local governments, governments of developing countries, or even smaller companies.
organisation
Microsoft] Office
Patching [Microsoft] Office stops CVE-2026-21509.
organisation
National Cyber Security Centre
"
The UK's
National Cyber Security Centre (NCSC)
and other global partners shared similar warnings.
organisation
CVE-2023-50224
The agency singled out TP-Link routers compromised via CVE-2023-50224.
organisation
API
The attacker would send a malicious calendar invite via a .msg file, which would trigger the vulnerable API endpoint.
organisation
SMB
"When the victim connects to the attacker’s SMB server, the connection to the remote server sends the user's NTLM protocol negotiation message containing the user's Net-NTLMv2 hash, which the attacker can use for authentication against other systems that support NTLM authentication," Trend Micro said.
organisation
NTLM
"When the victim connects to the attacker’s SMB server, the connection to the remote server sends the user's NTLM protocol negotiation message containing the user's Net-NTLMv2 hash, which the attacker can use for authentication against other systems that support NTLM authentication," Trend Micro said.
organisation
DNS
The DNS hijacking network technique, for example, is more than 20 years old.
organisation
Trend Micro's
"Although Pawn Storm has been active for two decades, it still retains its aggressiveness and determination to break into the networks and emails of high-profile targets around the world," Trend Micro's blog post read.
organisation
Calderone
It's worth remembering that much of the actor's sophistication lies in what happens post-initial access, Calderone adds.
organisation
FrostArmada
Updating router firmware and changing default credentials stops FrostArmada.
organisation
CAPTCHA
Training users that a real CAPTCHA never asks you to open system tools stops
ClickFix
."
organisation
Vishal Agarwal
"
Vishal Agarwal, chief technology officer (CTO) of Averlon, says that even if a threat actor like
Fancy Bear
gets in, zero trust, least-privilege access, strong identity controls, and just-in-time access can limit how far and fast an attacker can move.
organisation
CTO
"
Vishal Agarwal, chief technology officer (CTO) of Averlon, says that even if a threat actor like
Fancy Bear
gets in, zero trust, least-privilege access, strong identity controls, and just-in-time access can limit how far and fast an attacker can move.
organisation
Averlon
"
Vishal Agarwal, chief technology officer (CTO) of Averlon, says that even if a threat actor like
Fancy Bear
gets in, zero trust, least-privilege access, strong identity controls, and just-in-time access can limit how far and fast an attacker can move.
organisation
BreachLock
Echoing Calderone, Seemant Sehgal, founder and CEO of BreachLock, argued in favor of denying
Fancy Bear
the easy wins.
organisation
Omdia
"
Don't miss the latest Dark Reading Confidential podcast,
Security Bosses Are All in on AI: Here's Why,
where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products.
organisation
SOC
"
Don't miss the latest Dark Reading Confidential podcast,
Security Bosses Are All in on AI: Here's Why,
where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products.
October 2025
The wiper payload used by the COVENANT Grunt APT to target systems and erase files under "%USERPROFILE%" in at least one incident in October 2025.
Click on any entity below to view its context and source!
tactic
Wiper
In at least one incident in October 2025, the COVENANT Grunt payload was found to not only facilitate information gathering, but also run a destructive wiper command that erases all files under the "%USERPROFILE%" directory.
January 12, 2026
Threat actors used newly disclosed vulnerabilities to breach targets of interest.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-21509
The campaign is notable for the rapid weaponization of newly disclosed flaws, such as
CVE-2026-21509
and
CVE-2026-21513
, to breach targets of interest, with infrastructure preparation observed on January 12, 2026, exactly two weeks before the former was publicly disclosed.
vulnerability
CVE-2026-21513
The campaign is notable for the rapid weaponization of newly disclosed flaws, such as
CVE-2026-21509
and
CVE-2026-21513
, to breach targets of interest, with infrastructure preparation observed on January 12, 2026, exactly two weeks before the former was publicly disclosed.
January 30, 2026
Russia's 'Fancy Bear' APT used a zero-day vulnerability in Windows to target its exploit.
Click on any entity below to view its context and source!
threat_actor
APT28
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
vulnerability
CVE-2026-21513
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
infrastructure
Windows
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
Akamai
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
Microsoft Shortcut
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
VirusTotal
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
February 10, 2026
Russia's Fancy Bear APT group continued its global cyberattack campaign.
February 10
Threat actors used a zero-day vulnerability in Windows to exploit CVE-2026-21513, which was uploaded as a Microsoft Shortcut (LNK) on January 30, 2026.
Click on any entity below to view its context and source!
threat_actor
APT28
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
vulnerability
CVE-2026-21513
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
infrastructure
Windows
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
Akamai
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
Microsoft Shortcut
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
organisation
VirusTotal
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
March 26
Russia's 'Fancy Bear' APT, referred to as Pawn Storm, has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies.
Click on any entity below to view its context and source!
target_region
Ukraine
On March 26, the security vendor said the actor (which it refers to as Pawn Storm), has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
target_region
Poland
On March 26, the security vendor said the actor (which it refers to as Pawn Storm), has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
target_region
Romania
On March 26, the security vendor said the actor (which it refers to as Pawn Storm), has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
target_region
Slovenia
On March 26, the security vendor said the actor (which it refers to as Pawn Storm), has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
target_region
Slovakia
On March 26, the security vendor said the actor (which it refers to as Pawn Storm), has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
April 3
Russia's Forest Blizzard exploited SOHO routers to gain unauthorized access and steal logins between April 2022 and November 2023.
Click on any entity below to view its context and source!
target_region
Russian Federation
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
organisation
Forest Blizzard Nabs Rafts
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
organisation
SOHO
Related:
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
The security vendor followed this up with
another blog post
on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023.
Apr 08, 2026
Threat actors used a previously unknown exploit in the Windows operating system to gain unauthorized access to compromised systems.
the mid-2000s
Threat actors used stolen data from compromised US government systems to target Russian targets.
Click on any entity below to view its context and source!
target_region
Russian Federation
The group has been operating since the mid-2000s, targeting a wide range of governments and organizations in line with Russian geopolitical interests.
2026/04/09
Threat actors used Pawn Storm's old methodologies to target defenders in 2024, which remain effective today.
2026/04/09
Russia's 'Fancy Bear' APT continues its global onslaught by deploying a dual-capability malware, PrismexLoader.
Click on any entity below to view its context and source!
threat_actor
APT28
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies.
New research from Trend Micro highlights the immense reach of Fancy Bear, also known as APT28 and Forest Blizzard.
organisation
Deploys PRISMEX
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies.
organisation
NATO Allies
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies.
organisation
NATO
The activity has targeted various sectors in Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services, as well as rail logistics (Poland), maritime and transportation (Romania, Slovenia, Turkey), and logistical support partners involved in ammunition initiatives (Slovakia, Czech Republic), and military and NATO partners.
organisation
Trend Micro
New research from Trend Micro highlights the immense reach of Fancy Bear, also known as APT28 and Forest Blizzard.
"PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control," Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara
said
in a technical report.
organisation
Fancy Bear
New research from Trend Micro highlights the immense reach of Fancy Bear, also known as APT28 and Forest Blizzard.
organisation
CVE-2026
This commonality, combined with the timing of the two exploits, has raised the possibility that the threat actors are stringing together CVE-2026-21513 and CVE-2026-21509 into a sophisticated two-stage attack chain.
organisation
PrismexLoader
PrismexLoader
(aka PixyNetLoader), a proxy DLL that extracts the next-stage .NET payload scattered across a PNG image's ("SplashScreen.png") file structure using a bespoke "Bit Plane Round Robin" algorithm and runs it entirely in memory.
organisation
PNG
PrismexLoader
(aka PixyNetLoader), a proxy DLL that extracts the next-stage .NET payload scattered across a PNG image's ("SplashScreen.png") file structure using a bespoke "Bit Plane Round Robin" algorithm and runs it entirely in memory.
organisation
Zscaler ThreatLabz
It's worth mentioning here that some aspects of the campaign were previously documented by Zscaler ThreatLabz under the moniker
Operation Neusploit
.
organisation
Microsoft
This pattern of zero-day exploitation indicates that the threat actor had advanced knowledge of the vulnerabilities prior to them being revealed by Microsoft.
organisation
MiniDoor
The attacks culminate in the deployment of either
MiniDoor
, an Outlook email stealer, or a collection of interconnected malware components collectively known as PRISMEX, so named for the use of a steganographic technique to conceal payloads within image files.
organisation
Outlook
The attacks culminate in the deployment of either
MiniDoor
, an Outlook email stealer, or a collection of interconnected malware components collectively known as PRISMEX, so named for the use of a steganographic technique to conceal payloads within image files.
organisation
PRISMEX
The attacks culminate in the deployment of either
MiniDoor
, an Outlook email stealer, or a collection of interconnected malware components collectively known as PRISMEX, so named for the use of a steganographic technique to conceal payloads within image files.
organisation
VBA
These include -
PrismexSheet
, a malicious Excel dropper with VBA macros that extracts payloads embedded within the file using steganography, establishes persistence via
COM hijacking
, and displays a decoy document related to drone inventory lists and drone prices after macros are enabled.
organisation
DLL
PrismexDrop
, a native dropper that readies the environment for follow-on exploitation and uses scheduled tasks and COM DLL hijacking for persistence.
08, 2026
Threat actors used a previously undisclosed malware suite codenamed PRISMEX to target Ukraine and its allies through spear-phishing campaigns.
Click on any entity below to view its context and source!
threat_actor
APT28
Ravie Lakshmanan
Apr 08, 2026
Vulnerability / Cloud Security
The Russian threat actor known as
APT28
(aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed
PRISMEX
.
source_region
Russian Federation
Ravie Lakshmanan
Apr 08, 2026
Vulnerability / Cloud Security
The Russian threat actor known as
APT28
(aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed
PRISMEX
.
source_region
Ukraine
Ravie Lakshmanan
Apr 08, 2026
Vulnerability / Cloud Security
The Russian threat actor known as
APT28
(aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed
PRISMEX
.
tactic
Phishing
Ravie Lakshmanan
Apr 08, 2026
Vulnerability / Cloud Security
The Russian threat actor known as
APT28
(aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed
PRISMEX
.
organisation
Vulnerability / Cloud Security
Ravie Lakshmanan
Apr 08, 2026
Vulnerability / Cloud Security
The Russian threat actor known as
APT28
(aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed
PRISMEX
.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
In late February 2025, Akamai also disclosed that APT28 may have weaponized CVE-2026-21513 as a zero-day based on a Microsoft Shortcut (LNK) exploit that was uploaded to VirusTotal on January 30, 2026, well before the Windows maker pushed out a fix as part of its Patch Tuesday update on February 10, 2026.
Two Fancy Bear Campaigns
Prismex leverages multiple Windows vulnerabilities, Trend Micro said
in its late March blog post
, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509.
Metrics
infrastructure
Microsoft Office
Affected Product
Two Fancy Bear Campaigns
Prismex leverages multiple Windows vulnerabilities, Trend Micro said
in its late March blog post
, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509.
Intelligence Sources
The Hacker News
2026-04-08
Dark Reading
2026-04-09
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-05-20T07:00
Comprehensive Tactical Telemetry
Highly Correlated Entities
43x
organisation
Identified Entity
Deploys PRISMEX
entity
26x
timeline
Temporal Reference
08, 2026
date
9x
target region
Target Country
Ukraine
country
7x
attribution
Attributing Entity
the Computer Emergency Response Team of Ukraine
authority
6x
tactic
Cyber Operation Type
Phishing
tactic
4x
source region
Origin Country
Russian Federation
country
4x
vulnerability
Exploited CVE
CVE-2026-21509
cve
2x
campaign
Campaign
Campaign Targeting Ukraine
operation
2x
infrastructure
Affected Product
Windows
software
2x
malware
Malware Payload
Medusa Ransomware
tool
Contextual Telemetry
Context Block
4 METRICS
threat actor
APT Group
APT28
actor
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
general metric
Office Bug
21,509
office bug
target region
Target Region
NORTH_AMERICA
region
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.