You are currently viewing APT28 in 2026: Weaponizing Routers and Deploying PRISMEX Across Global Targets

APT28 in 2026: Weaponizing Routers and Deploying PRISMEX Across Global Targets

  • Post author:
  • Reading time:4 mins read

The Russian state-linked threat actor APT28 (also known as Forest Blizzard and Pawn Storm) has intensified its cyber operations through two major campaigns: a large-scale DNS hijacking operation targeting SOHO routers and a spear-phishing campaign deploying the PRISMEX malware suite.

These campaigns demonstrate a shift toward multi-layered attack strategies, combining infrastructure-level compromise with endpoint exploitation to enable persistent espionage, credential harvesting, and potential disruption of critical systems.

Executive Summary

  • APT28 conducted a global DNS hijacking campaign (FrostArmada) by compromising MikroTik and TP-Link routers.
  • The attackers modified DNS settings to redirect traffic and perform Adversary-in-the-Middle (AitM) attacks.
  • Over 18,000 IPs across 120+ countries were observed communicating with attacker infrastructure.
  • A second campaign deployed PRISMEX malware via spear-phishing, targeting Ukraine and allied sectors.
  • Rapid exploitation of zero-day vulnerabilities CVE-2026-21509 and CVE-2026-21513 enabled stealthy payload execution.
  • The campaigns highlight a dual objective: intelligence gathering and potential operational disruption.

Background on Threat and Campaigns

FrostArmada – DNS Hijacking Campaign

The FrostArmada campaign involved compromising vulnerable SOHO routers and reconfiguring them to use attacker-controlled DNS servers.

  • DNS traffic was redirected to malicious infrastructure.
  • Users attempting to access legitimate services were silently redirected.
  • AitM nodes intercepted authentication credentials without user interaction.

This operation was partially disrupted through Operation Masquerade, a coordinated effort involving law enforcement agencies.

PRISMEX Malware Campaign

Parallel to infrastructure attacks, APT28 launched a spear-phishing campaign delivering the PRISMEX malware suite.

Key techniques:

  • Steganography (payloads hidden in images)
  • COM hijacking for persistence
  • Abuse of legitimate cloud services for command-and-control

Targets included:

  • Government agencies
  • Defense and logistics sectors
  • NATO-aligned organizations

Vulnerability Details

CVE-2023-50224:

  1. Vulnerability: Improper Authentication Information Disclosure Vulnerability
  2. CVSS Score: 6.5
  3. EPSS Score: 1.49%
  4. Affected Products: TP-Link TL-WR841N routers

CVE-2026-21509:

  1. Vulnerability: Security Feature Bypass Vulnerability
  2. CVSS Score: 7.8
  3. EPSS Score: 7.50%
  4. Affected Products: Microsoft Office

CVE-2026-21513:

  1. Vulnerability: Security Feature Bypass Vulnerability27.97%
  2. CVSS Score: 27.97%
  3. EPSS Score: 8.8
  4. Affected Products: Microsoft Windows

Tactics and Techniques

  • TA0002Execution: The vulnerabilities enable attackers to execute malicious code or payloads on the affected systems, including via malicious .LNK files and scripts.
  • TA0008Lateral Movement: Compromised routers and endpoints can be leveraged to pivot within the network, allowing attackers to expand access to additional systems.
  • TA0006Credential Access: DNS hijacking and AitM techniques allow attackers to intercept and steal authentication credentials, including passwords and OAuth tokens.
  • TA0001Initial Access: Attackers gain initial access through exploitation of vulnerable edge devices and spear-phishing campaigns delivering malicious files.
  • T1210Exploitation of Remote Services: Exploitation of vulnerabilities such as CVE-2023-50224 to gain unauthorized access to routers.
  • T1566Phishing: Spear-phishing emails used to deliver PRISMEX malware payloads.
  • T1557Adversary-in-the-Middle: DNS hijacking redirects traffic to attacker-controlled infrastructure for credential interception.
  • T1204User Execution: Users unknowingly execute malicious documents or shortcut (.LNK) files.
  • T1546Event Triggered Execution: Persistence achieved via COM hijacking techniques.

Visual Attack Flow

DNS Hijacking Attack Flow

[User Request] -> [Compromised Router] -> [Modified DNS Settings] -> [Malicious DNS Server] -> [AitM Node] -> [Credential Harvesting & Exfiltration]

PRISMEX Infection Flow

[Spear-Phishing Email] -> [Malicious Document / LNK File] -> [CVE-2026-21509 Trigger] -> [CVE-2026-21513 Execution] -> [PRISMEX Deployment] -> [Persistence + C2 Communication]

Indicators of Compromise (IOCs)

Network Indicators

  • Suspicious DNS requests routed to unknown or unauthorized DNS resolvers
  • DNS queries resolving legitimate domains (e.g., email/login portals) to unexpected or attacker-controlled IP addresses
  • Traffic redirection to Attacker-in-the-Middle (AitM) infrastructure
  • Communication with known malicious IPs:
    • 64.120.31[.]96 (AitM node observed since May 2025)
    • 79.141.160[.]78 (Global DNS/AitM node supporting DoT activity)

Domain Indicators

  • wellnesscaremed[.]com (linked to exploitation chain activity)

Host-Based Indicators

  • Execution of suspicious .LNK files from untrusted sources
  • Presence of malicious Microsoft Office documents with embedded macros (PRISMEX loaders)
  • Unusual use of JavaScript APIs:
    • util.readFileIntoStream()
    • RSS.addFeed()

Mitigation & Recommendations

Mitigation for CVE-2023-50224 (Router Exploitation)

  • Update firmware on TP-Link and MikroTik routers to the latest versions.
  • Disable remote administration unless explicitly required.
  • Change default credentials and enforce strong authentication.
  • Monitor DNS settings for unauthorized changes.
  • Segment network devices to limit lateral movement.

Mitigation for CVE-2026-21509 & CVE-2026-21513

  • Apply latest Windows security updates immediately.
  • Block or restrict execution of .LNK files from untrusted sources.
  • Disable macros in Microsoft Office by default.
  • Use endpoint detection tools to monitor suspicious process execution.
  • Inspect outbound connections to detect unusual C2 communication.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.