APT28 Deploys PRISMEX Malware in Zero‑Day Campaign Against Ukraine and Allied Critical Infrastructure
What Happened — Russian‑linked APT28 (Fancy Bear) launched a spear‑phishing operation using a new malware suite called PRISMEX. The campaign exploits two zero‑day vulnerabilities (CVE‑2026‑21509 and CVE‑2026‑21513) to achieve file‑less, encrypted command‑and‑control on targets in Ukraine’s defense supply chain and allied aid, transport, and government networks.
Why It Matters for TPRM —
- State‑sponsored espionage tools often surface in supply‑chain attacks, threatening third‑party vendors that support critical infrastructure.
- Zero‑day exploits bypass conventional security controls, exposing gaps in vendor patch‑management and email‑security processes.
- Persistent, stealthy implants can remain undetected for months, increasing the risk of data exfiltration and operational disruption.
Who Is Affected — Government & defense agencies, critical infrastructure operators, logistics and humanitarian aid providers, and any third‑party service providers supporting these entities.
Recommended Actions —
- Review all third‑party contracts for clauses on timely patching and zero‑day response.
- Validate that vendors employ advanced email‑security (DMARC, anti‑phishing training) and endpoint detection with behavior‑based analytics.
- Conduct threat‑intel sharing with partners in the region to identify compromised assets early.
Technical Notes — The attack chain begins with a malicious RTF attachment that triggers CVE‑2026‑21509, forcing a WebDAV connection to retrieve a LNK file. The LNK file then exploits CVE‑2026‑21513 to bypass browser defenses and load a Covenant‑based loader, which drops the PRISMEX implant. The suite uses steganography and COM hijacking for stealth, and communicates over encrypted channels. Source: Security Affairs