SEVERITY: HIGH - Threat Alert
The Threat
APT28 - the Russian state-sponsored threat actor also tracked as Forest Blizzard and Pawn Storm - has launched a new spear-phishing campaign deploying a previously undocumented malware suite codenamed PRISMEX. The campaign has been directly linked to attacks on Ukraine and NATO-aligned governments, but the tradecraft and tooling used carry serious implications far beyond those borders.
PRISMEX is technically sophisticated. It combines advanced steganography (hiding malicious payloads inside ordinary image or document files) with Component Object Model (COM) hijacking - a Windows-native technique that allows attackers to execute malicious code without triggering standard antivirus detection. This is not a commodity threat. This is a precision instrument built by a well-resourced nation-state.
APT28 has a documented history of targeting government ministries, financial institutions, diplomatic missions, and critical infrastructure - exactly the sectors driving East Africa's digital transformation agenda.
Impact Assessment for East African Organizations
East African institutions should not assume geographic distance provides protection. APT28 and similar Russian-nexus actors have previously targeted African Union infrastructure, regional diplomatic missions, and multilateral development finance institutions operating across the Horn of Africa. Kenya, Ethiopia, Somalia, and Djibouti all host foreign embassies, AU-affiliated agencies, and strategic infrastructure that falls within the interest profile of nation-state actors.
For Kenyan banks and fintechs regulated under CBK guidelines, a PRISMEX-style compromise could expose SWIFT credentials, customer PII, and core banking access - triggering CBK mandatory breach notification requirements and potential PCI-DSS non-compliance penalties. For Ethiopian and Somali government ministries, spear-phishing is already the leading initial access vector, and PRISMEX's steganographic delivery would bypass most email gateway filters currently deployed in the region.
Power utilities and telecom operators are equally at risk. COM hijacking is particularly dangerous in operational technology (OT) environments where legacy Windows systems are common and patching cycles are long - a reality across the East African energy sector.
Immediate Actions - Do These Now
- Audit your email gateway rules immediately. Ensure your email security solution inspects images and Office documents for embedded payloads - not just executable attachments. Standard signature-based filters will not catch steganographic delivery.
- Restrict and audit COM object permissions. Review Windows registry COM object entries on all endpoints and servers. Implement application control policies (via AppLocker or Windows Defender Application Control) to limit unauthorized COM registration.
- Run a spear-phishing simulation targeting your executive and finance teams. APT28 crafts highly personalized lures using open-source intelligence. Your CFO, IT Director, and procurement staff are the highest-risk entry points.
- Review and harden privileged access. PRISMEX is designed for persistence and lateral movement. If an attacker gets in, they will move fast. Enforce least-privilege access, MFA on all administrative accounts, and segment your network now - not after an incident.
- Brief your SOC or IT team on this specific indicator profile. Ensure your team is monitoring for unusual DCOM activity, unexpected image file executions, and outbound connections to newly registered domains - common APT28 command-and-control patterns.
DRONGO Recommendation
DRONGO's Threat Intelligence and SOC teams are actively tracking APT28 indicators of compromise relevant to East African infrastructure. We can deliver a rapid spear-phishing resilience assessment, COM attack surface review, and email gateway audit for your organization within 72 hours. Your geography is not your firewall.
Is your organization protected? Request a free security assessment.