Back

Pawn Storm Campaign Utilizes PRISMEX to Target Ukrainian Defense Infrastructure

Severity: High (Score: 77.9)

Sources: Feeds.Trendmicro, Trendmicro

Summary

The Russian-aligned cyber espionage group Pawn Storm has launched a new malware suite named PRISMEX, targeting the Ukrainian defense supply chain and Western humanitarian and military aid infrastructure. This campaign, which escalated in January 2026, exploits the Microsoft Office vulnerability CVE-2026-21509, which was publicly disclosed on January 26, 2026. The operation employs advanced techniques such as steganography, cloud abuse, and email-based backdoors to infiltrate critical infrastructure across Central and Eastern Europe. The malware suite consists of interconnected components including a dropper (PrismexDrop), a steganography loader (PrismexLoader), and a Covenant Grunt implant (PrismexStager). The use of the Covenant framework allows for evasion of modern Endpoint Detection and Response (EDR) systems through fileless execution and encrypted communications. This campaign represents a strategic expansion of the NotDoor ecosystem, indicating a sophisticated level of threat. TrendAI™ Research continues to monitor the evolution of these attacks and their implications for cybersecurity. Key Points: • Pawn Storm's PRISMEX malware targets Ukrainian defense and critical infrastructure. • The campaign exploits CVE-2026-21509, a Microsoft Office vulnerability disclosed on January 26, 2026. • PRISMEX employs advanced techniques including steganography and fileless execution to evade detection.

Key Entities

  • Apt28 (apt_group)
  • Fancy Bear (apt_group)
  • Forest Blizzard (apt_group)
  • Pawn Storm (apt_group)
  • Uac-0001 (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Prismex Campaign (campaign)
  • Ukraine (country)
  • CVE-2026-21509 (cve)
  • CVE-2026-21513 (cve)
  • Government (industry)
  • Prismex (malware)
  • T1059.005 - Visual Basic (mitre_attack)
  • T1071.001 - Web Protocols (mitre_attack)
  • T1203 - Exploitation for Client Execution (mitre_attack)
  • T1566.001 - Spearphishing Attachment (mitre_attack)
  • T1574.001 - DLL (mitre_attack)
  • Microsoft Office (platform)
  • Windows (platform)
  • aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa (sha256)
  • Covenant (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed