Advanced Threats & Targeted Attacks
Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities
In this blog, Trend Micro Research discusses the latest Pawn Storm campaign, which utilizes a sophisticated malware suite known as PRISMEX to target government and critical infrastructure entities in Ukraine and its allies. The attack leverages advanced steganography, cloud abuse, and email-based backdoors against the Ukrainian defense supply chain.
PRISMEX combines several techniques for command and control: it uses advanced steganography, hijacks component object model (COM) processes, and abuses legitimate cloud services. Pawn Storm has exploited multiple vulnerabilities, including a confirmed Windows zero-day (CVE-2026-21513). The .lnk files obtained through CVE-2026-21509 may be linked to CVE-2026-21513 based on shared command-and-control infrastructure identified by Akamai, though Trend Micro has not independently confirmed this connection.
The campaign's preparations suggest advance knowledge of the vulnerabilities. Both espionage and potential sabotage functionality were observed, including wiper commands. This blog provides organizations with risk management guidelines to protect against similar cyber threats.
Infrastructure preparations began two weeks before the vulnerability disclosure, indicating sophisticated planning and resource allocation.