Russia-aligned APT group Pawn Storm (APT28/Fancy Bear) has launched an aggressive campaign deploying a sophisticated new malware suite dubbed PRISMEX against Ukrainian defense infrastructure and NATO logistics partners across Central and Eastern Europe.
Campaign Overview
The campaign, active since September 2025 and significantly escalating in January 2026, targets the operational backbone of Ukrainian defense and Western humanitarian and military aid infrastructure. Targeted nations include Ukraine, Poland, Romania, Slovakia, Slovenia, Czech Republic, and Turkey—countries critical to NATO logistics and military aid transit into Ukraine.
Zero-Day and N-Day Exploitation
Pawn Storm demonstrated advance knowledge of vulnerabilities, with infrastructure preparation beginning two weeks before the CVE-2026-21509 disclosure:
- CVE-2026-21509: Security feature bypass in Microsoft Office OLE mechanism, weaponized immediately after patch availability
- CVE-2026-21513: MSHTML zero-day exploited 11 days before Microsoft released the February 10, 2026 patch, confirming in-the-wild zero-day exploitation
PRISMEX Malware Components
The malware suite consists of interconnected components designed to evade modern EDR systems:
- PrismexSheet: Obfuscated Excel dropper using steganography to embed payloads within the file itself
- PrismexDrop: Native dropper establishing persistence via COM hijacking
- PrismexLoader: Proxy DLL using a unique “Bit Plane Round Robin” steganography algorithm to extract shellcode from PNG images
- PrismexStager: Covenant Grunt implant abusing Filen.io encrypted cloud storage for C2 communications
Advanced Steganography Technique
PrismexLoader employs a distinctive steganographic method that scatters payload data across the entire image in multiple passes, making detection significantly harder than standard LSB techniques. This exact algorithm serves as a high-fidelity fingerprint for this threat actor unit.
Strategic Targeting
The victimology reveals strategic intent to compromise Ukraine’s supply chain and operational planning:
- Ukrainian hydrometeorology services: Critical for drone operations and artillery trajectory planning
- Polish rail infrastructure: Primary transit hub for Western military aid
- Romanian and Slovenian transport entities: Black Sea grain corridors and alternative supply routes
- Spear-phishing lures themed around “Hydro-meteorological Warnings,” “Military Training Programs,” and “Weapon Smuggling Alerts”
Dual-Purpose Capability
Analysis revealed both espionage and sabotage functionality, including a destructive wiper command that deleted all files under %USERPROFILE%. This dual capability confirms the campaigns may serve both intelligence collection and operational disruption objectives timed to coincide with kinetic military operations.
Defensive Recommendations
- Immediately patch CVE-2026-21509 and CVE-2026-21513
- Restrict access to non-essential cloud storage services at perimeter
- Disable Shell.Explorer.1 COM object if patching is delayed
- Audit HKCU\Software\Classes\CLSID for suspicious user-registered COM objects
- Monitor for unusual CLR initialization in native processes (especially explorer.exe loading clr.dll)
- Implement strict RTF attachment filtering
This campaign continues Pawn Storm’s decade-long brazen attacks against Ukraine since 2014, demonstrating the group’s persistent aggressive posture and capability evolution.
Source: Trend Micro Research
