The latest Pawn Storm campaign targets government and critical infrastructure entities in Ukraine and its allies by deploying the PRISMEX malware suite. According to Trend Micro Research, this APT group has been active since at least September 2025, with notable escalation observed in January 2026. PRISMEX combines advanced steganography, Component Object Model (COM) hijacking, and legitimate cloud service abuse for command and control.
PRISMEX exploits multiple vulnerabilities, including the confirmed Windows zero-day CVE-2026-21513 and the Microsoft Office vulnerability CVE-2026-21509. Trend Micro observed that infrastructure preparations began two weeks before the disclosure of CVE-2026-21509, indicating advanced knowledge of the vulnerability.
TrendAI™ Research identified three components within PRISMEX: PrismexDrop (dropper), PrismexLoader (steganography loader), and PrismexStager (Covenant Grunt implant). These components are designed to evade modern Endpoint Detection and Response (EDR) systems, using fileless execution and advanced steganography. The campaigns employing PrismexStager suggest a strategic approach by the APT group.
Pawn Storm’s continued targeting of Ukraine and Western allies underscores its reputation for aggressive cyber espionage and potential sabotage, highlighting the need for robust risk management strategies among targeted organizations.