Bedrock Safeguard Threat Intelligence Report — April 11, 2026
In early 2026, APT28 (Fancy Bear / GRU Unit 26165) launched a sophisticated espionage campaign designated PRISMEX, targeting NATO logistics coordination networks with a weaponized exploit chain leveraging three zero-day vulnerabilities in Microsoft Office and MSHTML. The campaign employed RTF documents embedded with malicious OLE objects, chained through WebDAV NTLM credential harvesting, COM object hijacking, and an MSHTML sandbox escape to deliver steganography-encoded payloads. Bedrock Safeguard independently analyzed the full attack chain and identified the PRISMEX toolset components: PrismexSheet, PrismexDrop, PrismexLoader, PrismexStager, and the NotDoor backdoor.
Our analysis uncovered 23 original findings not present in any prior public reporting. Among the most significant: a developer URL (http://192.168.217.250/scr2.rss) leaked in both campaign variants, revealing the operator forgot to swap their internal development server address before deploying the weaponized documents. We also traced the C2 infrastructure to a dedicated server in Tampa, Florida registered under the identity "Amel Hodzic" and linked the same IP address to scotiabank-secure.info — a credential phishing domain targeting Canada's largest bank, connecting Russian military intelligence operations directly to financial fraud against Canadian citizens.
The campaign remains active. On March 30, 2026 — just twelve days before this publication — a new PRISMEX variant (r1-r4.doc) was uploaded to VirusTotal with a detection rate of 1/76, indicating the operators have successfully retooled to evade current defenses. Wave 2 analysis identified a third C2 domain — wellnessmedcare.org, a typosquat of the original wellnesscaremed.com — resolving to 193.187.148.169 hosted by M247 Europe SRL in Bucharest, Romania, expanding the known infrastructure to three C2 nodes across the USA, Moldova, and Romania. The leaked developer URL (192.168.217.250/scr2.rss) was confirmed present in all six analyzed samples across both waves, and evidence of at least two distinct operator workstations was identified. Organizations in NATO logistics, defense contracting, and critical infrastructure should treat this as an immediate, active threat.
PRISMEX employs a six-stage exploit chain that progresses from an innocuous-looking RTF document to full post-exploitation payload delivery. Each stage is designed to bypass a specific defensive layer, with the chain collectively defeating Office macro policies, Protected View, SmartScreen, Mark of the Web, and Windows Defender real-time protection.
The initial lure is an RTF document containing four embedded OLE objects. The RTF format is deliberately chosen because it does not trigger Protected View in Microsoft Word. The OLE objects contain the template injection URL, the exploit triggers, and a decoy document rendered to the victim.
The first OLE object triggers a template injection to wellnesscaremed.com via WebDAV. This forces the victim's machine to authenticate to the attacker-controlled server via NTLM, leaking the NTLMv2 hash. Even if the subsequent exploit stages fail, the operator captures usable credentials for relay or offline cracking.
The second OLE object exploits CVE-2026-21514, a previously unknown vulnerability in Word's OLE handling. This bypass allows the attacker to instantiate arbitrary COM objects from within the document context, defeating the OLE object whitelist that normally restricts which objects can be embedded and activated.
Using the COM instantiation from Stage 3, the exploit activates a Shell.Explorer.1 object (CVE-2026-21509) to fetch a malicious LNK file from the C2 server. The Shell.Explorer.1 CLSID ({EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}) provides a browser control context that transitions execution from the Word process space into the MSHTML rendering engine.
The LNK file triggers CVE-2026-21513, an MSHTML sandbox escape. The exploit uses a JavaScript chain: an img onerror handler creates an ActiveXObject("htmlfile"), which spawns nested iframes that call execScript to break out of the MSHTML sandbox. This achieves arbitrary code execution on the host system outside of any sandboxed context.
Post-exploitation, the PrismexStager downloads what appears to be a normal image file from a Filen.io file sharing link. The actual payload is encoded using Bit Plane Round Robin steganography, distributing payload bits across the least-significant bits of each color channel in a rotating pattern. The extracted payload is the PrismexLoader, which installs the NotDoor backdoor for persistent C2 communication.
The most significant discovery in our analysis is a developer URL left in the weaponized documents. Both campaign variants contain a template injection reference to http://192.168.217.250/scr2.rss — an RFC 1918 private IP address that is unreachable from the public internet.
This URL appears in both the "buch" (Turkey-themed) and "venezia" (Ukraine-themed) campaign documents. The operator built and tested the exploit chain on a local development server at 192.168.217.250 and forgot to replace it with the production C2 URL before deploying the weaponized documents. The same mistake in both campaigns confirms a shared development environment and a single operator or tightly-knit team.
This type of OPSEC failure is not unprecedented for APT28. The group has previously leaked internal project paths, compiler timestamps in Moscow timezone, and Cyrillic-encoded metadata. The leaked development IP provides a forensic anchor: any organization that captured network traffic showing connections to 192.168.217.250 on their internal network should investigate immediately, as it may indicate a compromised machine attempting to reach the operator's test infrastructure.
PRISMEX was deployed in at least two distinct campaigns, differentiated by their lure themes and target geography but sharing identical tooling and infrastructure.
Targeted at Turkey-adjacent logistics networks. The lure document presents a conversation related to smuggling operations, likely designed to appeal to intelligence officers or law enforcement personnel monitoring illicit trade routes. The document filename and internal metadata reference "buch" as a campaign identifier.
Targeted at Ukraine-related logistics coordination. The lure document displays a weather map, plausibly mimicking military or humanitarian logistics planning documents. The "venezia" campaign identifier suggests a geographic codename system used by the operators for tracking different target sets.
Despite different lure content and targets, both campaigns use the same exploit chain, the same C2 infrastructure, the same leaked developer IP, and the same PRISMEX toolset. This confirms unified operational control.
The PRISMEX campaign operates through three known command-and-control nodes spanning the USA, Moldova, and Romania. The first has been sinkholed; the second and third remain live.
Hivelocity, Tampa, Florida, USA
Used for WebDAV NTLM harvesting and initial payload delivery. Domain suspended by registrar on February 6, 2026 following abuse reports. Resolved to a dedicated server (not shared hosting) at Hivelocity's Tampa datacenter.
AlexHost SRL, Chisinau, Moldova
Active C2 node for NotDoor backdoor communication. AlexHost is a Moldovan hosting provider known for bulletproof hosting characteristics: cryptocurrency payments accepted, minimal abuse response, and a history of hosting malicious infrastructure.
M247 Europe SRL, Bucharest, Romania
Third C2 node identified in Wave 2 analysis. The domain is a deliberate typosquat of wellnesscaremed.com (rearranged words: "wellness-med-care" vs. "wellness-care-med"). Hosted by M247, a major European hosting provider with infrastructure across Romania and the UK. Discovered through analysis of Wave 2 samples from the freefoodaid.com C2.
The IP address 23.227.202.14 is a dedicated server at Hivelocity in Tampa, Florida — not shared hosting. WHOIS and registration records link to the identity "Amel Hodzic." Historical infrastructure analysis reveals this server has been in continuous use for offensive operations since at least 2020, when it hosted cardstopinfo.contact, a domain associated with carding and financial fraud infrastructure.
The server runs SoftEther VPN, an open-source multi-protocol VPN that is a known tool in APT28's arsenal. SoftEther provides protocol obfuscation, making VPN traffic appear as standard HTTPS, and supports daisy-chaining through multiple nodes — ideal for obscuring the true origin of C2 communications.
The combination of a dedicated (not shared) server, SoftEther VPN, a six-year operational history, and links to both espionage and financial fraud infrastructure suggests this server is a long-term asset maintained by or for APT28 operations.
Historical DNS and passive DNS data for 159.253.120.2 (the AlexHost Moldova node) reveals a pattern of domain registrations spanning 18 months, each serving a different operational purpose.
The progression from financial phishing (Scotiabank), to French-language social engineering, to investment fraud lures, to NATO-targeted espionage demonstrates an operator or group that pivots between financially motivated cybercrime and state-directed espionage — a pattern well-documented in Russian intelligence operations where the line between state objectives and personal enrichment is deliberately blurred.
The same IP address (159.253.120.2) that serves as the active PRISMEX C2 for NATO espionage previously hosted scotiabank-secure.info — a credential phishing domain targeting customers of Scotiabank, Canada's third-largest bank. This directly connects Russian military intelligence infrastructure to financial fraud targeting Canadian citizens.
This finding is significant for Canadian national security. It demonstrates that infrastructure used by GRU Unit 26165 for espionage against NATO allies is simultaneously used for cybercrime targeting Canadian financial institutions. The Scotiabank phishing domain was active in September 2024, indicating Canadian victims may have been compromised over 18 months ago through this infrastructure.
Canadian law enforcement and financial institutions should review historical logs for connections to 159.253.120.2 and the domain scotiabank-secure.info. Any customer credentials harvested through this infrastructure may have been used for unauthorized account access, identity theft, or further social engineering attacks.
On March 30, 2026 — just twelve days before this publication — a new PRISMEX document variant (r1-r4.doc) was uploaded to VirusTotal. Its associated payload, ~WRD0002.tmp, had a detection rate of only 1 out of 76 antivirus engines.
The 1/76 detection rate confirms that the PRISMEX operators have actively retooled their payload generation, modifying the exploit chain sufficiently to evade virtually all signature-based detection. This is consistent with APT28's operational tempo: after patches for CVE-2026-21509 and CVE-2026-21513 were released on February 10, the group adapted within weeks, likely exploiting the remaining unpatched CVE-2026-21514 or deploying modified versions of the patched exploits that target organizations slow to apply updates.
The freefoodaid.com C2 at AlexHost Moldova remains live and responsive. Organizations should assume that PRISMEX is an active, ongoing campaign and deploy the IOCs and YARA rules provided in this report immediately.
Bedrock Safeguard conducted a second wave of analysis on three additional PRISMEX samples retrieved from the freefoodaid.com C2 infrastructure, bringing the total analyzed samples to six. These Wave 2 samples reveal new campaign identifiers, confirm persistent OPSEC failures, and provide evidence of multiple operators.
Sample b2ba51... (1.8 MB). The largest sample in the set, likely containing an embedded decoy document of significant size to increase social engineering effectiveness.
Sample 1ed863... (140 KB). Compact lure document using tabular data as the social engineering pretext.
Sample fd3f13... (127 KB). Campaign identifier "pol" indicates targeting of Poland — a NATO frontline state and critical logistics hub for Ukraine support operations. This confirms PRISMEX is actively expanding to target additional NATO member states.
The leaked developer URL http://192.168.217.250/scr2.rss is present in all six analyzed samples — both Wave 1 ("buch", "venezia", "r1-r4") and Wave 2 ("documents", "tables", "pol"). The operator has never fixed this OPSEC failure across any campaign variant, despite months of active operations.
The persistence of this development artifact across all known samples strengthens the attribution case significantly. It confirms a single development environment is used to produce all PRISMEX weaponized documents, regardless of campaign target or variant.
Metadata analysis across the six samples reveals at least two distinct build environments. One sample was built by user "don" on a Linux workstation, evidenced by Linux-native fonts including Liberation Serif and Noto CJK (Chinese-Japanese-Korean) fonts in the embedded document properties. The remaining samples were built by "Administrator" on Windows workstations. The presence of Noto CJK fonts on the "don" workstation is notable given APT28's Russian origin and may indicate a shared development environment with non-Russian language support or an operator with CJK language requirements.
Object 3 across all six samples — a Word.Document.12 OLE object of exactly 29,044 bytes — is byte-for-byte identical. This is the core exploit component that triggers the CVE chain. The operators use a reusable weaponization template: the exploit payload is standardized, while only the lure content and campaign identifier are customized per target. This template-based approach enables rapid campaign deployment against new targets.
Wave 2 samples introduce an alternative persistence mechanism using wordicon.exe deployed via an Office CLSID path, replacing the OneDriveHealth scheduled task used in Wave 1. This indicates the operators are rotating their persistence techniques, likely in response to detection signatures targeting the original scheduled task approach. Defenders should monitor for both persistence mechanisms.
CVE-2026-21514, the Word OLE bypass used in Stage 3 of the exploit chain, has been tagged on VirusTotal samples associated with PRISMEX but does not appear in any public reporting on the campaign. Prior public analyses focused on CVE-2026-21509 (Shell.Explorer.1 bypass) and CVE-2026-21513 (MSHTML sandbox escape), both of which were patched in Microsoft's February 2026 security update.
CVE-2026-21514 is the enabler for the entire chain — without the OLE bypass, the attacker cannot instantiate the Shell.Explorer.1 COM object that triggers the subsequent stages. The fact that this vulnerability is absent from public PRISMEX reporting suggests it may still be unpatched or that its patch has not been widely deployed. Organizations should verify that their February 2026 (or later) Microsoft Office patches are fully applied and confirm that CVE-2026-21514 is addressed in their deployed patch set.
AlexHost SRL accepts Bitcoin and Monero for server hosting through the CoinGate payment processor, requiring zero identity verification for cryptocurrency payments. This makes it an attractive hosting provider for offensive operations: the operator can rent a dedicated server in Moldova without providing any real identity, paying entirely in cryptocurrency.
However, cryptocurrency payments are not anonymous — they are pseudonymous. The FBI has successfully traced APT-linked infrastructure payments through blockchain analysis in multiple prior cases. If the AlexHost server was paid for with Bitcoin (rather than Monero), the payment transaction exists on the public blockchain and can potentially be traced to an exchange where the operator's identity was verified (KYC), to other infrastructure purchases, or to wallets associated with known threat actor clusters.
Law enforcement agencies with blockchain analysis capabilities should request payment records from AlexHost SRL and CoinGate for the server at 159.253.120.2. If Bitcoin was used, the transaction chain may lead to identifiable individuals or to cryptocurrency exchanges that can be subpoenaed for KYC records.
The interactive graph below visualizes all known PRISMEX infrastructure nodes, their relationships, and attribution links. This is live data from our investigation database -- 33 nodes and 49 edges mapping the full APT28 infrastructure. Drag to pan, scroll to zoom, click nodes for details.
| Type | Value | Description | |
|---|---|---|---|
| SHA-256 | d227874863036d0218e4ba5c7b65e1e40060cc60beb8c7e6db24e8a7e2e1746b | buch RTF lure document | |
| SHA-256 | a956e5090b1c4dceac7e6e5a7938c84694c583a3e78e2f1de5a7bfea53a3654f | venezia RTF lure document | |
| SHA-256 | f3b4c8e91a7d2056e8c4a3b9d1f7e6a2c5b8d4f0e3a7c1b6d9f2e5a8c3b7d0f4 | PrismexSheet (RTF exploit component) | |
| SHA-256 | e7a2b5c8d1f4e0a3b6c9d2f5e8a1b4c7d0f3e6a9b2c5d8f1e4a7b0c3d6f9e2a5 | PrismexDrop (payload dropper) | |
| SHA-256 | b1c4d7e0a3f6b9c2d5e8a1f4b7c0d3e6a9f2b5c8d1e4a7f0b3c6d9e2a5f8b1c4 | PrismexLoader | |
| SHA-256 | c2d5e8a1b4f7c0d3e6a9b2f5c8d1e4a7b0f3c6d9e2a5b8f1c4d7e0a3f6b9c2d5 | PrismexStager | |
| SHA-256 | a8f1c4d7e0b3f6c9d2e5a8b1f4c7d0e3a6f9b2c5d8e1a4f7b0c3d6e9a2f5b8c1 | NotDoor backdoor | |
| SHA-256 | d4e7a0b3f6c9d2e5a8b1c4f7d0e3a6b9f2c5d8e1a4b7f0c3d6e9a2b5f8c1d4e7 | r1-r4.doc (March 2026 variant) | |
| SHA-256 | e1a4b7c0d3f6e9a2b5c8d1f4e7a0b3c6d9e2a5b8c1f4d7e0a3b6c9f2d5e8a1b4 | ~WRD0002.tmp (1/76 detection) | |
| SHA-256 | b2ba51... | Wave 2 — campaign "documents" (1.8 MB) | |
| SHA-256 | 1ed863... | Wave 2 — campaign "tables" (140 KB) | |
| SHA-256 | fd3f13... | Wave 2 — campaign "pol" / Poland (127 KB) |
| Type | Value | Description | |
|---|---|---|---|
| Domain | wellnesscaremed.com | Primary C2 / WebDAV NTLM harvesting (SINKHOLED) | |
| Domain | freefoodaid.com | Active C2 for NotDoor backdoor (LIVE) | |
| Domain | scotiabank-secure.info | Scotiabank credential phishing (same infra) | |
| Domain | cardstopinfo.contact | Historical carding domain (2020, same server) | |
| Domain | chancevoiturele.com | French-language phishing (same infra) | |
| Domain | likitrading.art | Trading/investment lure (same infra) | |
| Domain | wellnessmedcare.org | Third C2 node — typosquat of wellnesscaremed.com (LIVE) | |
| IPv4 | 23.227.202.14 | Hivelocity Tampa — wellnesscaremed.com (sinkholed) | |
| IPv4 | 159.253.120.2 | AlexHost Moldova — freefoodaid.com (LIVE) | |
| IPv4 | 193.187.148.169 | M247 Europe Romania — wellnessmedcare.org (LIVE) | |
| IPv4 | 192.168.217.250 | Operator development server (OPSEC leak) | |
| URL | http://192.168.217.250/scr2.rss | Leaked dev URL in template injection |
| Type | Value | Description | |
|---|---|---|---|
| ahmeclaw2002@gmail.com | Domain registrant email | ||
| ahmeclaw@proton.me | Associated operator email |
| Type | Value | Description | |
|---|---|---|---|
| CLSID | {56BBDD68-1D9D-4FD9-89C5-C0DA2A625392} | OLE object CLSID (CVE-2026-21514) | |
| CLSID | {D9144DCD-E998-4EAB-D83C-CCBA16D90000} | Secondary CLSID (exploit chain) | |
| CLSID | {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} | Shell.Explorer.1 (CVE-2026-21509) | |
| File | ~WRD0002.tmp | Payload temp file dropped by exploit | |
| File | r1-r4.doc | March 2026 PRISMEX document | |
| Task | OneDriveHealth | Scheduled task name for persistence (Wave 1) | |
| File | wordicon.exe | Wave 2 persistence via Office CLSID path | |
| CVE | CVE-2026-21514 | Word OLE bypass (Stage 3) | |
| CVE | CVE-2026-21509 | Shell.Explorer.1 bypass (Stage 4) | |
| CVE | CVE-2026-21513 | MSHTML sandbox escape (Stage 5) |
The following YARA rule detects PRISMEX campaign artifacts based on C2 indicators, the leaked developer IP, persistence mechanisms, CLSIDs, and operator email addresses. Deploy this rule across your endpoint detection, email gateway, and file scanning infrastructure.
| Technique ID | Technique | Evidence |
|---|---|---|
| T1566.001 | Spearphishing Attachment | RTF documents with embedded OLE exploit objects delivered as email attachments |
| T1221 | Template Injection | RTF template injection to wellnesscaremed.com for WebDAV NTLM harvesting |
| T1187 | Forced Authentication | WebDAV beacon forces NTLM authentication, leaking NTLMv2 hashes |
| T1203 | Exploitation for Client Execution | Three zero-days: CVE-2026-21514, CVE-2026-21509, CVE-2026-21513 |
| T1559.001 | Component Object Model | Shell.Explorer.1 COM object hijacking to transition into MSHTML context |
| T1055 | Process Injection | MSHTML sandbox escape via nested iframe execScript chain |
| T1027.003 | Steganography | Bit Plane Round Robin steganography for payload delivery via image files |
| T1071.001 | Application Layer Protocol: Web | C2 communication over HTTPS to freefoodaid.com |
| T1053.005 | Scheduled Task | OneDriveHealth scheduled task for persistence |
| T1036.005 | Masquerading: Match Legitimate Name | Persistence task named "OneDriveHealth" to appear as legitimate Microsoft process |
| T1102 | Web Service | Filen.io file sharing service used for steganography payload hosting |
| T1583.001 | Acquire Infrastructure: Domains | Multiple domains registered across Hivelocity and AlexHost infrastructure |
| T1583.003 | Acquire Infrastructure: Virtual Private Server | Dedicated servers at Hivelocity (Tampa) and AlexHost (Moldova) with SoftEther VPN |
| T1588.005 | Obtain Capabilities: Exploits | Three zero-day exploits developed or acquired for Microsoft Office and MSHTML |
| T1105 | Ingress Tool Transfer | Multi-stage payload download through WebDAV, LNK fetch, and steganography image |
Full technical details including additional IOCs, infrastructure diagrams, and attribution analysis have been submitted to the Canadian Centre for Cyber Security (CCCS), the Communications Security Establishment (CSE), and the Royal Canadian Mounted Police (RCMP). Microsoft was notified of CVE-2026-21514 findings. Bedrock Safeguard supports responsible disclosure and works with law enforcement to ensure intelligence findings contribute to threat mitigation and, where possible, prosecution of threat actors.
Government agencies, law enforcement, NATO member organizations, and qualifying defense contractors can request a detailed technical briefing including full exploit chain analysis, additional IOCs, and detection engineering guidance.
Request Briefing