PROLIFIC Russia-aligned APT Pawn Storm has deployed a new PRISMEX malware suite to target the Ukrainian defence supply chain and allied infrastructure, including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey, according to TrendAI Research.
The operation combines steganography, COM hijacking, and legitimate cloud service abuse for C2, and leverages a two-stage exploitation path beginning with CVE-2026-21509 (Office OLE feature bypass) and potentially CVE-2026-21513 (MSHTML) with LNK delivery; the linkage between the two exploits is not independently confirmed by TrendAI.
The campaign, active since at least September 2025 and significantly escalating in January 2026, uses interconnected PrismexSheet, PrismexDrop, PrismexLoader, and PrismexStager components, with Covenant Grunt as the final payload and Filen[.]io for C2 communications, all designed to evade modern EDR via fileless execution and steganography.
TrendAI notes that infrastructure preparation began two weeks before CVE disclosures and highlights the potential for both espionage and sabotage, including wiper commands, with extensive targeting of Ukraine and NATO logistics hubs. Immediate mitigations include patching CVE-2026-21509 and CVE-2026-21513, blocking unapproved cloud storage, and disabling the Shell[.]Explorer.1 COM object where feasible, per TrendAI Vision One™ guidance.
According to CERT-UA, Zscaler ThreatLabz, and Synaptic Systems, these campaigns show a convergent trajectory in Pawn Storm’s tooling and infrastructure, reinforcing a high-confidence attribution to Pawn Storm.