VulnHub

Real-time Cybersecurity News

APT28 deploys PRISMEX malware in espionage campaign against Ukraine and allies

SCM feed for Latest
Actively Exploited
CVEExploitMalwareTrend Micro

Overview

A recent cybersecurity campaign attributed to APT28, also known as Fancy Bear, has been uncovered by Trend Micro. The attackers are using a new malware called PRISMEX to target Ukraine and its allies. They exploit recently disclosed vulnerabilities, specifically CVE-2026-21509 and CVE-2026-21513, to bypass security measures and gain unauthorized access. This type of espionage can significantly affect national security and the stability of the region, as sensitive information could be compromised. The targeting of Ukraine, in particular, raises alarms given the ongoing conflict in the area, indicating that the stakes are high for both military and political intelligence.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: CVE-2026-21509, CVE-2026-21513 (specific products affected not listed)
  • Action Required: Organizations should apply security patches for CVE-2026-21509 and CVE-2026-21513 as they become available.
  • Timeline: Newly disclosed

Original Article Summary

The campaign, uncovered by Trend Micro and attributed to APT28 (also known as Fancy Bear and Pawn Storm), exploits newly disclosed vulnerabilities, including CVE-2026-21509 and CVE-2026-21513, to bypass security measures and gain initial access.

Impact

CVE-2026-21509, CVE-2026-21513 (specific products affected not listed)

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Organizations should apply security patches for CVE-2026-21509 and CVE-2026-21513 as they become available. It's also recommended to enhance monitoring for suspicious activity and to implement network segmentation to limit exposure.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to CVE, Exploit, Malware, and 1 more.

Read Original Article

Related Coverage

New ‘LucidRook’ malware used in targeted attacks on NGOs, universities

BleepingComputer

Researchers have discovered a new malware known as LucidRook, which is written in Lua and is being deployed in targeted spear-phishing campaigns aimed at non-governmental organizations (NGOs) and universities in Taiwan. This malware is particularly concerning because it represents a shift in tactics, focusing on sectors often involved in sensitive and impactful work. Attackers are leveraging deceptive emails to compromise their targets, potentially leading to data breaches or other security incidents. The targeting of educational and humanitarian organizations indicates that attackers are seeking valuable information that could be exploited for various malicious purposes. Organizations in these sectors need to be vigilant and enhance their security measures to defend against such threats.

Apr 9, 2026

Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs

CyberScoop

Researchers from Censys have identified a significant cybersecurity threat posed by Iranian government-backed actors targeting critical infrastructure in the United States. This campaign is specifically aimed at energy, water, and government services, putting approximately 3,900 exposed devices at risk. The focus on these vital sectors raises alarms about potential disruptions to essential services. The implications of such attacks could be severe, affecting both public safety and national security. As the situation develops, organizations operating in these sectors need to enhance their cybersecurity measures to protect against potential intrusions.

Apr 9, 2026

Internet-exposed Modbus ICS devices threaten critical infrastructure

SCM feed for Latest

Researchers have identified 179 industrial control devices connected to the internet that are using the Modbus protocol, which lacks basic security features like encryption and authentication. These devices, spread across 20 countries, are often part of critical infrastructure systems such as power grids. The presence of these exposed devices poses a significant risk, as they can be targeted by attackers looking to disrupt essential services. This situation raises alarms about the security practices in place for industrial systems, especially considering the potential consequences of a successful attack. Companies operating such systems need to reassess their security measures to protect against unauthorized access.

Apr 9, 2026

Contagious Interview campaign expands further

SCM feed for Latest

The North Korean hacking group behind the Contagious Interview campaign has expanded its operations, releasing over a dozen new malicious packages across various programming ecosystems, including npm, PyPI, Go Modules, crates.io, and Packagist. Since the campaign began in January 2025, more than 1,700 harmful packages have been identified. These malicious packages are designed to compromise systems and facilitate malware installation, posing a significant risk to developers and organizations that rely on these ecosystems for software development. Users need to be cautious about the packages they download and verify their sources to avoid falling victim to these attacks.

Apr 9, 2026

Iranian cyberattacks to continue amid ceasefire

SCM feed for Latest

The Iranian hacking group Handala has announced that it will continue its cyberattacks against Israel and plans to resume operations against the United States. This declaration comes during a fragile two-week ceasefire between Iran and both the U.S. and Israel. The group’s ongoing cyber threats pose significant risks to critical infrastructure and data security in these regions. Continuous cyber operations could disrupt services and heighten tensions in an already volatile geopolitical landscape, making it crucial for organizations in these countries to bolster their cybersecurity measures. The situation is particularly concerning given the potential for escalation in both cyber and traditional military engagements.

Apr 9, 2026

Russia's 'Fancy Bear' APT Continues Its Global Onslaught

darkreading

The Russian cyber espionage group known as Fancy Bear is reportedly continuing its global attacks, targeting various organizations around the world. Experts warn that while victims may not possess the same level of technical sophistication as the attackers, they must take proactive steps to protect themselves. Essential measures include regularly patching software vulnerabilities and implementing zero trust security models to enhance defenses. The ongoing activity of Fancy Bear underscores the need for organizations, regardless of size or technical expertise, to prioritize cybersecurity practices to mitigate risks. As these attacks evolve, awareness and preparedness are crucial for safeguarding sensitive data and systems.

Apr 9, 2026