APT28 Deploys Stealthy PRISMEX Malware in Spear‑Phishing Campaign Against Ukraine and NATO Allies
What Happened — Russian state‑linked group APT28 (aka Fancy Bear) launched a new spear‑phishing operation that delivers the previously unknown PRISMEX malware suite. The payload uses steganography, COM hijacking, and abuse of legitimate cloud services for command‑and‑control.
Why It Matters for TPRM —
- Threat actors are targeting government and defense supply‑chain entities, raising the risk profile of any third‑party relationships with those sectors.
- PRISMEX’s stealth techniques can bypass traditional detection, potentially exposing sensitive data and compromising downstream vendors.
- Early awareness enables organizations to harden email gateways and validate cloud service usage across their ecosystem.
Who Is Affected — Government agencies, defense contractors, and any vendors providing cloud or communications services to Ukrainian or NATO‑aligned entities.
Recommended Actions —
- Review and tighten spear‑phishing defenses (DMARC, SPF, DKIM, advanced URL/file sandboxing).
- Conduct a cloud‑service usage audit for all third‑party contracts to detect unauthorized endpoints.
- Update endpoint detection and response (EDR) signatures to include PRISMEX indicators of compromise (IOCs).
Technical Notes — Attack vector: spear‑phishing emails with malicious attachments/images that hide PRISMEX payload via steganography. The malware hijacks COM objects to execute code and leverages legitimate cloud platforms (e.g., Microsoft Azure, Google Cloud) for C2 traffic. No CVE is cited; the tool is a novel, custom‑built suite. Source: The Hacker News