A Russia-aligned advanced persistent threat group known as Pawn Storm (APT28 and Fancy Bear) is using a new malware framework called ‘Prismex’ to target the defense supply chain of Ukraine and its allies, including Poland, Romania, Czech Republic, Slovakia, Slovenia, and Turkey. The campaign has been active since at least September 2025 and became more intense in January 2026, a new report from Trend Micro says.
Prismex is a set of connected malware components designed to stay hidden and avoid detection. It includes a dropper (PrismexDrop), a loader that uses steganography (PrismexLoader), and a final implant (PrismexStager) built on the Covenant framework. The loader hides malicious code inside image files and extracts it using the “bit plane round robin” technique. The malware also uses COM hijacking to stay persistent on infected systems and relies on legitimate cloud services like Filen.io to communicate with its command-and-control (C&C) servers using encrypted channels. This allows the malware to run without writing obvious files to disk, helping it bypass endpoint detection and response systems.
The attackers gained initial access by exploiting known vulnerabilities, including CVE-2026-21509 in Microsoft Office’s OLE mechanism and CVE-2026-21513, a now-patched zero-day vulnerability in the MSHTML framework.
The exploitation of both flaws in tandem can be used to achieve full system compromise via a malicious .lnk file, although this connection has not been independently confirmed.
Trend Micro notes that the attackers prepared their infrastructure about two weeks before CVE-2026-21509 was publicly disclosed, suggesting they had advance knowledge. The timeline also confirms that CVE-2026-21513 was exploited as a zero-day before a patch was released.
Researchers believe the Prismex framework is an extension of the NotDoor ecosystem and can act as both data-stealer and wiper.
The campaign mainly targets critical parts of Ukraine’s defense system, including government agencies, weather services used for military planning, transportation hubs, and international aid routes. It also focuses on logistics and infrastructure in allied countries, such as rail systems in Poland and maritime transport in Romania and Turkey, which are key for moving military and humanitarian supplies.
Technical analysis shows clear links between Prismex and previously documented tools observed in the APT28’s attacks.
“The PRISMEX components represent a capable and stealthy addition to Pawn Storm's arsenal. By combining zero-day exploitation (CVE-2026-21513) with rapid weaponization of newly disclosed vulnerabilities (CVE-2026-21509), valid cloud infrastructure, and unique steganography, the actor has demonstrated a continued ability to evolve, “ the report notes. “The strategic focus on targeting the supply chains, weather services, and humanitarian corridors supporting Ukraine represents a shift toward operational disruption that may presage more destructive activities.”