Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities
The Russia-aligned APT group Pawn Storm has launched a sophisticated campaign deploying the PRISMEX malware suite against Ukrainian and NATO defense supply chains. The attack chain leverages two critical vulnerabilities, CVE-2026-21509 and CVE-2026-21513, to achieve zero-click execution, utilizing advanced steganography and COM hijacking to evade detection while communicating via legitimate cloud services.
Authors: Feike Hacquebord, Kakara Hiroyuki
Source:
Trend Micro
- domaingateway[.]filen[.]ioPRISMEX Covenant Grunt C2 gateway domain
- domainwellnesscaremed[[.]]comC2 domain shared between CVE-2026-21509 and CVE-2026-21513 exploit infrastructure
- filename%ProgramData%\USOShared\Logs\User\adwapi64.dllPrismexSheet payload DLL dropped for COM hijacking
- registry_keyHKCU\Software\Classes\CLSID\{68DDBB56-9D1D-4FD9-89C5-C0DA2A625392}\InProcServer32COM hijacking persistence mechanism used by PrismexSheet
- sha256aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1faCVE-2026-21513 exploit sample
Key Takeaways
- Pawn Storm (APT28) deployed the PRISMEX malware suite targeting Ukrainian defense supply chains and NATO allies.
- The campaign exploits CVE-2026-21509 (OLE bypass) and a zero-day CVE-2026-21513 (MSHTML bypass) to achieve zero-click execution.
- PRISMEX uses advanced 'Bit Plane Round Robin' steganography and COM hijacking for fileless execution and persistence.
- Command and control communications abuse legitimate cloud storage services like Filen.io to evade network detection.
Affected Systems
- Microsoft Office
- Windows (MSHTML framework)
- ieframe.dll
Vulnerabilities (CVEs)
- CVE-2026-21509
- CVE-2026-21513
Attack Chain
The attack begins with spear-phishing emails containing malicious RTF documents that exploit CVE-2026-21509 to bypass OLE security and connect to a WebDAV server. A downloaded LNK file then exploits CVE-2026-21513 to execute payloads outside the browser sandbox. The PRISMEX malware suite is deployed, using COM hijacking for persistence and a unique 'Bit Plane Round Robin' steganography technique to extract and execute a .NET Covenant Grunt stager entirely in memory. The stager communicates with C2 infrastructure hosted on the legitimate Filen.io cloud service.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: TrendAI Vision One
TrendAI Vision One provides tailored hunting queries, threat insights, and intelligence reports for customers, though specific raw rules are not detailed in the blog.
Detection Engineering Assessment
EDR Visibility: Medium — Fileless execution and steganography evade traditional file scanning, but COM hijacking and CLR loading in native processes provide strong behavioral signals. Network Visibility: Low — C2 traffic blends with legitimate encrypted traffic to Filen.io; WebDAV connections might be visible but hard to distinguish without decryption. Detection Difficulty: Hard — The use of zero-days, legitimate cloud services for C2, and in-memory execution via steganography makes detection highly challenging.
Required Log Sources
- Windows Event Logs (ETW)
- Process Creation (Event ID 4688)
- Registry Auditing
- Microsoft-Windows-DotNETRuntime
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unusual CLR initialization (loading clr.dll or mscorlib.dll) within non-.NET native processes like explorer.exe. | Process Module Load Events / ETW | Execution | Low |
| Monitor for user-level COM object registrations in HKCU\Software\Classes\CLSID pointing to DLLs in %PROGRAMDATA% or %TEMP%. | Registry Modifications | Persistence | Low |
| Detect Office applications (e.g., WINWORD.EXE) making outbound WebDAV connections or spawning processes without user interaction. | Process Creation / Network Connections | Initial Access | Low |
| Hunt for .NET assembly loads from byte arrays rather than file paths using the Microsoft-Windows-DotNETRuntime ETW provider. | ETW (Microsoft-Windows-DotNETRuntime) | Defense Evasion | Medium |
Control Gaps
- Standard EDR file scanning (bypassed via steganography and in-memory execution)
- Network reputation filtering (bypassed via Filen.io)
Key Behavioral Indicators
- explorer.exe loading clr.dll
- COM registry keys pointing to %PROGRAMDATA%
- Office apps instantiating Shell.Explorer.1
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Patch CVE-2026-21509 and CVE-2026-21513 immediately across the entire fleet.
- Disable the Shell.Explorer.1 COM object via registry keys if patching is not immediately feasible.
Infrastructure Hardening
- Review and restrict access to non-business-essential cloud storage services (like Filen.io) at the perimeter firewall and web proxy.
- Enforce policies blocking macro execution for Office files originating from the Internet (Mark of the Web).
User Protection
- Implement strict attachment filtering for RTF documents.
- Enable enhanced logging for Outlook VBA macro execution.
- Monitor for unusual patterns in email deletion (rapid move to Deleted Items followed by permanent deletion).
Security Awareness
- Train users to be cautious of unsolicited emails containing RTF documents, especially those related to military, meteorological, or logistics themes.
MITRE ATT&CK Mapping
- T1566.001 - Spearphishing Attachment
- T1059.001 - PowerShell
- T1059.005 - Visual Basic
- T1204.001 - User Execution: Malicious Link
- T1546.015 - Component Object Model Hijacking
- T1053.005 - Scheduled Task/Job
- T1574.002 - DLL Side-Loading
- T1027.003 - Steganography
- T1562.001 - Disable or Modify Tools
- T1055 - Process Injection
- T1553.005 - Mark-of-the-Web Bypass
- T1114.001 - Local Email Collection
- T1071.001 - Web Protocols
- T1102 - Web Service
- T1048.003 - Exfiltration Over Alternative Protocol
Additional IOCs
- Domains:
gateway[.]filen[.]net- PRISMEX C2 gateway domaingateway[.]filen-1[.]net- PRISMEX C2 gateway domaingateway[.]filen-2[.]net- PRISMEX C2 gateway domaingateway[.]filen-3[.]net- PRISMEX C2 gateway domaingateway[.]filen-4[.]net- PRISMEX C2 gateway domaingateway[.]filen-5[.]net- PRISMEX C2 gateway domaingateway[.]filen-6[.]net- PRISMEX C2 gateway domainegest[.]filen[.]io- PRISMEX C2 egress domain for payload downloadingest[.]filen[.]io- PRISMEX C2 ingress domain for data exfiltration
- File Hashes:
0ea6fc8d476591fd80e6cec26f353d25(MD5) - Embedded OLE object hash from malicious document6ce6b82d33d3d7305a321af207e37124(MD5) - Embedded OLE object hash from malicious documentcad4f8ce48d31d6c10253ddbbd00a993(MD5) - Embedded Word Document OLE object hash
- Registry Keys:
HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}- COM hijacking persistence mechanism used by PrismexDrop
- File Paths:
%ProgramData%\Microsoft\DeviceSync\{GUID}\background.png- Steganographic PNG dropped by PrismexSheet%PROGRAMDATA%\USOPublic\Data\User\EhStoreShell.dll- Malicious proxy DLL dropped by PrismexDrop%PROGRAMDATA%\Microsoft OneDrive\setup\Cache\SplashScreen.png- Steganography carrier image dropped by PrismexDrop%TEMP%\Diagnostics\office.xml- Task definition file dropped by PrismexDrop
- Command Lines:
- Purpose: Terminate and restart explorer.exe to trigger COM hijacking payload | Tools:
taskkill.exe,explorer.exe| Stage: Persistence/Execution |taskkill.exe /f /im explorer.exe
- Purpose: Terminate and restart explorer.exe to trigger COM hijacking payload | Tools:
- Other:
EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B- Target CLSID for Shell.Explorer.1 used in CVE-2026-21509 exploitationOneDriveHealth- Name of the hidden scheduled task created by PrismexDrop