Back to Intelligence

APT28 PRISMEX Malware: Detection and Mitigation of COM Hijacking and Steganography

SA
Security Arsenal Team
April 9, 2026
6 min read

Introduction

The Russian state-sponsored threat actor APT28 (Forest Blizzard, Pawn Storm) has resumed operations against Ukraine and NATO allies with a sophisticated new toolset named PRISMEX. This campaign demonstrates a continued evolution in tradecraft, moving beyond simple macro-enabled documents to a complex suite utilizing advanced steganography for payload concealment and Component Object Model (COM) hijacking for persistence.

For defenders, the immediate risk is the bypass of traditional file-based detection mechanisms. Steganography allows malicious code to hide within benign-looking image files, while COM hijacking subverts trusted system processes to execute malware. This is not a theoretical exercise; active exploitation is confirmed. Security teams must immediately shift hunting strategies to focus on behavioral anomalies and registry integrity rather than relying solely on static signature matching.

Technical Analysis

Threat Actor: APT28 (Forest Blizzard) Target: Ukraine, NATO allies, and related diplomatic entities. Malware Suite: PRISMEX

Attack Chain Breakdown:

  1. Initial Access (Spear-Phishing): The campaign initiates via highly targeted social engineering. Victims receive spear-phishing emails containing malicious attachments.

  2. Payload Delivery (Steganography): Unlike traditional campaigns that rely on macros or embedded scripts, PRISMEX employs advanced steganography. Malicious code is hidden inside image files (e.g., PNGs or BMPs). When processed by a loader or a vulnerable parser, the instructions are extracted from the image pixels directly into memory, bypassing many antivirus engines that scan only the file structure, not the visual data layers.

  3. Persistence (COM Hijacking): To maintain access without creating obviously suspicious scheduled tasks or startup folder entries, PRISMEX utilizes COM Hijacking. The malware modifies registry keys associated with specific COM objects (often targeting InprocServer32). This forces the operating system to load a malicious DLL whenever a legitimate application or system process attempts to use that COM object.

  4. Command and Control (C2): PRISMEX abuses legitimate cloud services to blend in with normal network traffic. By using known, whitelisted cloud APIs and domains, the malware evades egress filtering and network detection rules that typically block unknown C2 IP addresses.

Exploitation Status: Confirmed active exploitation in the wild against critical government and military infrastructure.

Detection & Response

Given the use of steganography and trusted system abuse, signature-based detection is insufficient. We must detect the mechanisms of persistence and the behavior of the loaders.

SIGMA Rules

The following rules focus on the persistence mechanism (COM Hijacking) and the suspicious process execution patterns typical of steganographic loaders.

YAML
---
title: Potential COM Hijacking InprocServer32 Modification
id: 9e9a4e11-6d2f-4b5c-9c8d-1d2f3b4c5d6e
status: experimental
description: Detects modifications to InprocServer32 registry keys often used for COM hijacking persistence. APT28 PRISMEX uses this technique to maintain access.
references:
  - https://attack.mitre.org/techniques/T1546/015/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1546.015
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains: 'InprocServer32'
  filter_legit:
    Details|contains:
      - 'C:\\Windows\\System32\\'
      - 'C:\\Windows\\SysWOW64\\'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate software installation
  - IT administration scripts
level: high
---
title: Suspicious Office Child Process Steganography Loader Pattern
did: b8f3c92a-4d1e-4a3b-9e5f-1a2b3c4d5e6f
status: experimental
description: Detects Microsoft Office applications spawning child processes involved in image manipulation or script execution, a common pattern for steganography-based loaders like PRISMEX.
references:
  - https://attack.mitre.org/techniques/T1564/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.initial_access
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\\WINWORD.EXE'
      - '\\EXCEL.EXE'
      - '\\POWERPNT.EXE'
  selection_child_img:
    Image|endswith:
      - '\\powershell.exe'
      - '\\cmd.exe'
      - '\\mshta.exe'
      - '\\cscript.exe'
  selection_child_cli:
    CommandLine|contains:
      - '-encodedcommand'
      - '-enc'
      - 'Invoke-Expression'
  condition: all of selection_*
falsepositives:
  - Legitimate macro usage for business automation
level: medium

KQL (Microsoft Sentinel)

Use this query to hunt for registry modifications indicating COM hijacking attempts, specifically looking for changes to CLSIDs that do not point to the standard Windows directories.

KQL — Microsoft Sentinel / Defender
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey contains "InprocServer32"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName
| where RegistryValueData !contains "C:\\Windows\\System32\\" and RegistryValueData !contains "C:\\Windows\\SysWOW64\\"
| where isnotempty(RegistryValueData)
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for persistence by scanning the registry for COM keys where the default value or InprocServer32 points to a suspicious location (e.g., user profile or temp directories).

VQL — Velociraptor
-- Hunt for suspicious COM Hijacking persistence
SELECT 
  Key.Path as KeyPath,
  Data.value as DLLPath,
  Mtime as ModifiedTime
FROM read_reg_key(globs="*\\InprocServer32", root="HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes")
LEFT JOIN foreach(Data, {
    SELECT value FROM stat(path=Data.value)
}) AS Stat
WHERE DLLPath
  AND NOT DLLPath =~ "C:\\Windows\\System32"
  AND NOT DLLPath =~ "C:\\Windows\\SysWOW64"
  AND NOT DLLPath =~ ".dll"

Remediation Script (PowerShell)

This script audits common registry locations for COM hijacking indicators associated with APT28 TTPs. It should be run with administrative privileges.

PowerShell
# Audit-COMHijacking.ps1
# Scans for non-standard COM Server registrations

function Test-ComHijacking {
    $paths = @(
        "HKLM:\Software\Classes\CLSID",
        "HKCU:\Software\Classes\CLSID"
    )

    $suspectEntries = @()

    foreach ($path in $paths) {
        if (-not (Test-Path $path)) { continue }

        $clsids = Get-ChildItem -Path $path -ErrorAction SilentlyContinue
        foreach ($clsid in $clsids) {
            $inprocPath = Join-Path -Path $clsid.PSPath -ChildPath "InprocServer32"
            if (Test-Path $inprocPath) {
                $defaultVal = (Get-ItemProperty -Path $inprocPath -ErrorAction SilentlyContinue)."(default)"
                
                if ($defaultVal) {
                    # Flag if not in Windows directories
                    if ($defaultVal -notmatch "^C:\\Windows\\System32" -and 
                        $defaultVal -notmatch "^C:\\Windows\\SysWOW64" -and
                        $defaultVal -notmatch "^C:\\Program Files" -and
                        $defaultVal -notmatch "^C:\\Program Files (x86)") {
                        
                        $suspectEntries += [PSCustomObject]@{
                            CLSID = $clsid.PSChildName
                            Path = $path
                            TargetDLL = $defaultVal
                        }
                    }
                }
            }
        }
    }

    if ($suspectEntries.Count -gt 0) {
        Write-Host "[ALERT] Potential COM Hijacking Detected:" -ForegroundColor Red
        $suspectEntries | Format-Table -AutoSize
    } else {
        Write-Host "[INFO] No obvious COM Hijacking signatures found in standard paths." -ForegroundColor Green
    }
}

Test-ComHijacking

Remediation

  1. Isolate Affected Systems: Immediately isolate endpoints exhibiting IoCs (Indicators of Compromise) or suspicious registry modifications from the network to prevent lateral movement or data exfiltration to cloud C2s.

  2. Registry Cleanup:

    • Identify the CLSIDs modified by the malware (refer to the audit script output).
    • Restore the InprocServer32 values to their original, legitimate system defaults.
    • If the legitimate default is unknown, delete the specific CLSID subkey if it is not required by standard OS operations (proceed with caution or consult vendor documentation).

  3. Block Cloud C2 Abuse:

    • Configure SWG (Secure Web Gateway) or firewall rules to inspect traffic to legitimate cloud services (e.g., Dropbox, OneDrive, Google Drive) for anomalies, such as high-frequency uploads from non-corporate devices or unusual user-agents.
    • Implement Cloud Access Security Broker (CASB) policies to detect unauthorized API usage.

  4. Patch and Harden:

    • Ensure all applications, specifically Microsoft Office and image processing libraries, are fully patched to reduce the attack surface for steganographic exploits.
    • Enable Attack Surface Reduction (ASR) rules in Microsoft Defender, specifically "Block Office applications from creating child processes" and "Block Office applications from creating executable content."

  5. User Awareness: Reinforce social engineering training regarding the handling of unsolicited attachments, particularly those requesting the user to enable content or view images.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsapt28prismexcom-hijackingsteganographythreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action