APT28, also known as Forest Blizzard, deployed the PRISMEX malware suite in a spear-phishing campaign targeting Ukrainian government bodies and critical infrastructure, along with NATO allies. The campaign leveraged zero-day vulnerabilities CVE-2026-21509 and CVE-2026-21513 to deliver backdoors like MiniDoor and COVENANT Grunt for espionage and potential sabotage.
Initial Access
Malicious Lure
confirmed
APT28 initiated the attack with spear-phishing emails, luring targets to retrieve a malicious .LNK file.
Defender cut points
Implement email gateway filtering for malicious links and attachmentsConduct user awareness training against spear-phishing tactics
