A Russia-linked cyber espionage campaign targeting Ukraine and its allies has deployed a new malware suite designed to combine intelligence gathering with potential operational disruption. The activity, attributed to the APT28 group, reflects a shift toward tactics that blend espionage with capabilities aimed at interfering with supply chains and critical infrastructure.
Campaign Targets Supply Chains and Aid Networks
The campaign focuses on disrupting Ukraine’s supply chain and operational planning while extending access to logistics networks linked to NATO support. Targets include Ukrainian government bodies, defense systems, emergency services, and hydrometeorological functions, alongside infrastructure hubs in countries such as Poland, Romania, Slovakia, and others supporting aid flows.
Researchers note that the operation is not limited to surveillance. By targeting weather data, transport systems, and aid organizations, attackers aim to map and potentially sabotage support mechanisms. The presence of destructive capabilities alongside espionage tools highlights a dual-use approach aligned with military objectives.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Advanced Malware Suite Enables Stealth and Persistence
The campaign deploys a malware suite known as PRISMEX, consisting of multiple components including droppers, loaders, and implants. These tools use techniques such as steganography, COM hijacking, and abuse of legitimate cloud services to evade detection and maintain persistence.
Initial access begins with spear phishing emails themed around military training, weather alerts, or weapon smuggling. Opening malicious attachments triggers exploitation of vulnerabilities, enabling systems to connect to attacker-controlled servers and execute payloads without further user interaction. Subsequent stages involve covert data extraction and remote control through encrypted communications that blend with normal traffic.
The malware is designed for stealth, operating within trusted processes and leaving minimal traces on disk. It leverages legitimate services to bypass traditional security controls, complicating detection efforts.
Links to Past Activity and Rapid Exploitation of Vulnerabilities
Researchers have identified strong technical links between the PRISMEX components and previous campaigns associated with the same threat actor. The operation demonstrates a modular development approach, with reused infrastructure and rapid adaptation to newly disclosed vulnerabilities.
Evidence suggests that the attackers had early access to vulnerability details, allowing exploitation before public disclosure or patch availability. This capability enables a sustained advantage in targeting government, military, and critical infrastructure systems across Central and Eastern Europe.
The campaign also incorporates decoy documents, including files related to drone inventories, supplier pricing, and logistics operations, to increase the effectiveness of social engineering efforts. Analysts assess that the operation represents an evolution of earlier toolsets, expanding both the scale and sophistication of cyber espionage activities linked to the group.
