Threat Overview
The Russian‑aligned Advanced Persistent Threat (APT) group Pawn Storm (also known as APT28, Fancy Bear, UAC‑0001, Forest Blizzard) has released a new campaign that leverages the PRISMEX malware suite to target the Ukrainian defense supply chain and allied government and critical infrastructure. The operation, first observed in early January 2026, exploits two recently disclosed Windows vulnerabilities (CVE‑2026‑21509 and CVE‑2026‑21513) and incorporates advanced steganography, Component Object Model (COM) hijacking, and legitimate cloud service abuse for command‑and‑control (C&C). The campaign demonstrates Pawn Storm’s rapid weaponisation of zero‑day exploits and its continued focus on disrupting the operational backbone of Ukraine and its NATO partners.
Vulnerability Exploitation
Pawn Storm’s initial foothold is achieved through a spear‑phishing attachment that contains a malicious Rich Text Format (RTF) document. The document exploits CVE‑2026‑21509, a security feature bypass in Microsoft Office’s Object Linking and Embedding (OLE) mechanism that allows an attacker to instantiate the Shell.Explorer.1 COM object without user interaction. The exploit automatically connects to an attacker‑controlled WebDAV server and downloads a malicious .lnk file.
The second exploitation vector is CVE‑2026‑21513, a zero‑day vulnerability that bypasses protection mechanisms in the MSHTML framework. The downloaded .lnk file triggers this vulnerability, enabling execution of a remote payload without warning or user involvement. Analysis shows that the same command‑and‑control infrastructure is used for both CVE‑based exploits, indicating a coordinated two‑stage attack chain.
PRISMEX Malware Suite
PRISMEX is a modular malware family that consists of several interconnected components:
- PrismexDrop – a native dropper that establishes persistence via COM hijacking.
- PrismexLoader – a proxy DLL that extracts a .NET payload from a steganographically encoded PNG image using a custom Bit Plane Round Robin algorithm.
- PrismexStager – a Covenant Grunt implant that handles C&C communication and further download of malicious modules.
- PrismexSheet – an Excel dropper that delivers the initial payload and performs sandbox evasion.
Key technical highlights include fileless execution, in‑memory .NET payload loading via the CLR hosting API, and abuse of the legitimate cloud storage service filen.io to disguise C&C traffic. The use of the open‑source Covenant framework provides dynamic compilation and encrypted communications, making detection by signature‑based solutions ineffective.
Target Profile
Attackers focused on organizations that are critical to Ukraine’s defense logistics and support network, including:
- Ukrainian central executive bodies, hydrometeorological services, and emergency services.
- Military logistics hubs in Poland, Romania, Slovenia, Slovakia, Czech Republic, and Turkey.
- International aid corridors and humanitarian organisations.
Lure emails referenced “hydro‑meteorological warnings” and “military training programmes”, exploiting the trust associated with government and allied entities. The campaign’s scope extends beyond pure espionage; evidence of wiper commands and destructive functionality suggests a dual espionage‑and‑sabotage objective.
Mitigation Recommendations
Security analysts and defenders should adopt a multi‑layered approach to mitigate the PRISMEX threat:
- Patch promptly – Apply Microsoft security updates that fix CVE‑2026‑21509 and CVE‑2026‑21513 across the entire fleet. Verify that Office and Windows are on the latest builds.
- Restrict cloud services – Block or allowlist non‑business cloud storage domains (e.g., filen.io) at the perimeter firewall and proxy. Enforce strict access controls for legitimate cloud usage.
- Disable Shell.Explorer.1 COM object – Remove or restrict the
Shell.Explorer.1CLSID from the registry if immediate patching is not feasible. - Macro policies – Enforce policies that block macro execution for Office files originating from the Internet, and monitor for VBA macro activity.
- Detection and hunting – Monitor registries for COM hijacking entries under HKCU\Software\Classes\CLSID. Watch for CLR initialization in non‑.NET processes (especially explorer.exe). Enable ETW logging for Microsoft‑Windows‑DotNETRuntime to detect in‑memory assembly loads.
In addition, email security teams should implement strict attachment filtering for RTF documents, enable enhanced logging for Outlook VBA macro execution, and monitor for unusual deletion patterns in mailbox usage.
Conclusion
The PRISMEX campaign showcases Pawn Storm’s ability to rapidly weaponise zero‑day vulnerabilities, combine multiple evasion techniques, and target critical infrastructure across Central and Eastern Europe. The use of legitimate cloud services for C&C and fileless execution makes traditional detection difficult; defenders must therefore rely on behavioural analytics and threat hunting to detect anomalous activity. Immediate patching, network segmentation, and strict policy enforcement are essential to mitigate the risk posed by this sophisticated threat actor.
For further technical details and threat intelligence, consult the following resources: PRISMEX Indicators, TrendMicro Report, and AlienVault Pulse.