Full Report
The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX. "PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control," Trend Micro
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
* **Primary Name:** APT28
* **Aliases:** Forest Blizzard, Pawn Storm, Fancy Bear, Sednit, Strontium, Sofacy.
* **Affiliation:** Attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), Military Unit 26165.
## Activity Summary
APT28 has been observed conducting a fresh spear-phishing campaign targeting Ukraine and its international allies. This operation is characterized by the deployment of a new, undocumented malware suite named **PRISMEX**, which demonstrates an evolution in the actor's toolkit toward high-evasion techniques and the abuse of cloud environments.
## Tactics, Techniques & Procedures
* **Phishing:** Spear-phishing remains the primary initial access vector for this campaign.
* **Steganography:** Use of "advanced steganography" to hide malicious code within seemingly benign files to bypass network security filters.
* **COM Hijacking:** Persistence and execution achieved via Component Object Model (COM) hijacking to intercept legitimate system calls.
* **Cloud Service Abuse:** Utilization of legitimate cloud services for Command-and-Control (C2) communication to blend in with normal network traffic.
* **Defense Evasion:** Implementation of undocumented malware (PRISMEX) to avoid signature-based detection.
## Targeting
* **Sectors:** Government, Defense, International Relations.
* **Geography:** Ukraine and allied nations (NATO members and other supporting states).
* **Victims:** Diplomatic entities and government personnel associated with Ukrainian defense and support.
## Tools & Infrastructure
* **Malware:**
* **PRISMEX:** A newly discovered modular malware suite.
* **Infrastructure:**
* Abuse of legitimate cloud-based providers for C2 (specific URLs not provided in the snippet, but typically includes services like OneDrive, Dropbox, or Google Drive).
* Phishing infrastructure designed to mimic government portals.
## Implications
The introduction of the PRISMEX suite indicates that APT28 is actively updating its arsenal to circumvent modern EDR/XDR solutions. By utilizing steganography and cloud-based C2, the group increases the "dwell time" on compromised systems. This campaign underscores a strategic priority for Russia to gather intelligence on Ukrainian defense plans and the nature of foreign assistance.
## Mitigations
* **Email Security:** Implement robust phishing protection that includes sandboxing for attachments and deep scanning of hidden data (steganography detection).
* **Registry Monitoring:** Monitor for modifications to COM objects and CLSIDs in the Windows Registry to detect hijacking attempts.
* **Cloud Controls:** Restrict or strictly monitor traffic to unauthorized cloud storage providers at the organizational level.
* **Host-Based Defense:** Deploy advanced endpoint protection capable of behavioral analysis to identify non-standard COM object interactions and suspicious process executions.