Pawn Storm Deploys PRISMEX Backdoor in Campaign Targeting Ukrainian Defense Supply Chain
Russia-aligned APT group Pawn Storm has deployed a new malware suite called PRISMEX to target the defense supply chain of Ukraine and its allies, exploiting a Windows zero-day and using steganography to evade detection.
Russia-aligned advanced persistent threat (APT) group Pawn Storm—also known as APT28, Fancy Bear, and Forest Blizzard—has launched a sophisticated campaign targeting the defense supply chain of Ukraine and its allies, deploying a new malware suite dubbed PRISMEX. According to research from Trend Micro's TrendAI team, the operation has been active since at least September 2025 but escalated significantly in January 2026, focusing on entities in Ukraine, the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey. The campaign leverages a combination of advanced steganography, component object model (COM) hijacking, and abuse of legitimate cloud services for command and control (C2).
PRISMEX is a collection of interconnected malware components: a dropper called PrismexDrop, a steganography loader named PrismexLoader, and a Covenant Grunt implant referred to as PrismexStager. Covenant is an open-source .NET C2 framework, and its Grunt implants feature dynamic compilation and encrypted communications. The malware is designed to evade modern endpoint detection and response (EDR) systems through fileless execution and by hiding payloads within image files using steganography. TrendAI assesses that PRISMEX likely represents a strategic expansion of the previously documented "NotDoor" ecosystem.
The campaign exploits multiple vulnerabilities, including a confirmed Windows zero-day (CVE-2026-21513) and a Microsoft Office security feature bypass (CVE-2026-21509). Trend Micro observed that infrastructure preparation for the attacks began two weeks before CVE-2026-21509 was publicly disclosed, suggesting Pawn Storm had advance knowledge of the flaw. The .lnk files retrieved via CVE-2026-21509 may chain with CVE-2026-21513 based on shared C2 infrastructure identified by Akamai, though TrendAI has not independently confirmed this linkage. The zero-day exploitation window for CVE-2026-21513 was 11 days before Microsoft's patch on February 10, 2026.
The targeting is strategically focused on the Ukrainian defense supply chain, including military allies, meteorological data providers, transport hubs, and international aid corridors essential to Ukrainian defense and humanitarian operations. TrendAI researchers noted both espionage and potential sabotage functionality in the malware, including wiper commands. The campaign has also been reported by CERT-UA, Zscaler ThreatLabz, and Synaptic Systems, each providing complementary perspectives on the threat.
Pawn Storm's use of the Covenant framework for final payloads has been documented by CERT-UA and Sekoia.io since mid-2025, but this current wave is distinguished by the rapid integration of CVE-2026-21509. The group's ability to weaponize newly disclosed vulnerabilities and rapidly adapt N-day exploits underscores its status as one of the most aggressive Russia-aligned intrusion sets. TrendAI continues to monitor the evolution of the NotDoor ecosystem and has provided hunting queries and IoCs for defenders.
Organizations in the defense, government, and critical infrastructure sectors are urged to apply patches for CVE-2026-21509 and CVE-2026-21513 immediately, implement network segmentation, and monitor for indicators of compromise associated with PRISMEX. Trend Micro's Vision One platform detects and blocks the campaign's IoCs, and customers can access tailored threat intelligence to proactively defend against this ongoing threat.