Pawn Storm (APT28) Deploys New PRISMEX Malware, Exploits Windows Zero-Day (CVE-2026-21513)

Executive Summary

Researchers have identified a new, highly sophisticated campaign by the Russia-aligned Advanced Persistent Threat (APT) group Pawn Storm (also known as APT28 and Fancy Bear). The campaign is actively targeting government, critical infrastructure, and specifically the defense supply chain in Ukraine and allied nations. According to Trend Micro, the group is deploying a new modular malware toolkit named PRISMEX. This malware uses advanced evasion techniques, and the campaign is notable for its use of a confirmed Microsoft Windows zero-day vulnerability, CVE-2026-21513. The combination of a new malware suite and a zero-day exploit indicates a well-resourced and persistent threat focused on espionage and disruption against targets related to the war in Ukraine.

Threat Overview

• Threat Actor: Pawn Storm / APT28 / Fancy Bear. A highly skilled threat group attributed to Russia's GRU military intelligence agency. Known for high-profile attacks targeting governments, political organizations, and defense industries.
• Malware: PRISMEX. A new, modular malware collection. Its components are interconnected and designed for stealth, persistence, and espionage.
• Targets: The campaign is narrowly focused on entities within the defense industrial base and government sectors of Ukraine and its allies, including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
• Zero-Day: The campaign has been confirmed to exploit CVE-2026-21513, a previously unknown vulnerability in Microsoft Windows.

Technical Analysis

PRISMEX is a sophisticated toolkit that employs multiple techniques to evade detection and maintain persistence.

1. Initial Access: The campaign leverages multiple vulnerabilities for initial access, including the Windows zero-day CVE-2026-21513. This allows the attackers to gain a foothold on target systems by exploiting unpatched software (T1211 - Exploitation for Client Execution).
2. Steganography: PRISMEX uses steganography to hide malicious code within seemingly benign image files. This technique helps the malware bypass network security solutions that scan for malicious executables (T1027.003 - Steganography).
3. Persistence via COM Hijacking: The malware achieves persistence by hijacking Component Object Model (COM) objects in the Windows Registry. By modifying legitimate COM entries, the malware ensures it is automatically executed by the operating system, making it difficult to find and remove (T1574.002 - COM Hijacking).
4. C2 Communication: The toolkit abuses legitimate cloud services for its command and control (C2) communications. This technique, known as 'living off the land,' helps C2 traffic blend in with normal network activity, making it harder to detect and block.

Impact Assessment

This campaign poses a severe threat to the national security of Ukraine and its NATO allies. By targeting the defense supply chain, Pawn Storm aims to:

• Steal Sensitive Data: Exfiltrate classified information, military plans, and intellectual property related to defense systems.
• Disrupt Operations: Sabotage defense manufacturing or logistics, hindering the war effort.
• Gain Strategic Intelligence: Gather intelligence on military capabilities, readiness, and coordination among allied nations. The use of a zero-day exploit demonstrates the group's commitment and capability to penetrate even well-defended targets.

Detection & Response

• Patch for Zero-Day: The immediate priority is to apply the security patch for CVE-2026-21513 from Microsoft.
• Registry Monitoring: Monitor for unauthorized or suspicious modifications to COM-related registry keys, particularly under HKEY_CLASSES_ROOT\CLSID. This is a key method for detecting COM hijacking persistence, as supported by D3FEND's System Configuration Permissions (D3-SCP) hardening.
• Image File Analysis: Use security tools to inspect image files downloaded from the internet or received via email for hidden data or executable content.
• Egress Traffic Analysis: Scrutinize outbound network traffic to legitimate cloud services (e.g., Microsoft OneDrive, Google Drive, Dropbox) from servers or workstations that should not be communicating with them. Look for anomalous data volumes or patterns.

Mitigation

1. Patch Management: Aggressively patch all systems, especially operating systems and common applications. The use of a zero-day highlights that even patched organizations are at risk, but a strong patching program reduces the overall attack surface (M1051 - Update Software).
2. Application Control: Implement application control policies to prevent the execution of unauthorized software. This can block the initial payload even if it bypasses other defenses (M1038 - Execution Prevention).
3. Attack Surface Reduction: Harden systems by disabling unnecessary services and features. For COM hijacking, monitor and protect critical registry keys using security policies or specialized tools.
4. Threat Intelligence: Organizations in the targeted sectors should subscribe to and operationalize threat intelligence feeds that provide specific IOCs and TTPs for groups like APT28.