π―Basically, a group of hackers is using new malware to attack Ukraine's defense systems.
The Threat
The Pawn Storm campaign, attributed to the Russia-aligned APT group known as Pawn Storm, has recently escalated its operations. This group, also referred to as APT28 or Fancy Bear, is notorious for targeting critical infrastructure and government entities. Their latest tool, named PRISMEX, combines various advanced techniques including steganography and cloud abuse to infiltrate the Ukrainian defense supply chain. This operation not only threatens Ukraine but also its allies, including countries like Poland and Romania.
The campaign has been active since at least September 2025, but it intensified significantly in January 2026. This escalation is marked by the exploitation of multiple vulnerabilities, including a confirmed zero-day vulnerability, CVE-2026-21513, which allows attackers to bypass security mechanisms in Microsoft products. The implications of these attacks are severe, as they can disrupt military operations and humanitarian efforts.
Who's Behind It
Pawn Storm has a long history of cyber espionage and aggressive tactics. This group has been linked to various high-profile attacks since 2014, primarily targeting Ukraine amid ongoing geopolitical tensions. The PRISMEX malware suite is a significant evolution in their toolkit, showcasing their ability to rapidly adapt to new vulnerabilities. The use of Covenant, an open-source command and control framework, highlights their sophisticated approach to maintaining stealth and evading detection. The groupβs infrastructure preparations indicate a strategic approach to exploiting vulnerabilities. For instance, they began registering domains for command and control servers weeks before the public disclosure of CVE-2026-21509. This advance knowledge suggests a well-coordinated effort to maximize the effectiveness of their attacks.
Tactics & Techniques
The PRISMEX malware operates through a complex attack chain that begins with spear-phishing emails targeting specific individuals. These emails often contain subject lines related to military training or humanitarian warnings, luring victims into opening malicious attachments. The primary exploit, CVE-2026-21509, allows the malware to execute without user interaction, making it particularly dangerous.
Once the malicious document is opened, it triggers the exploitation of the vulnerability, which then retrieves a malicious shortcut file from an attacker-controlled server. This file can further exploit CVE-2026-21513, enabling the execution of additional payloads without alerting the user. This two-stage exploitation process underscores the sophistication of the Pawn Storm campaign and its potential for widespread impact.
Defensive Measures
Organizations, especially those in critical sectors, must take proactive steps to defend against these types of cyber threats. Implementing robust email filtering solutions can help reduce the risk of spear-phishing attacks. Additionally, keeping software up to date and applying security patches promptly is crucial in mitigating the risks associated with known vulnerabilities.
Security teams should also monitor for indicators of compromise (IoCs) associated with the PRISMEX malware and consider employing advanced threat detection solutions. By understanding the tactics used by Pawn Storm, organizations can better prepare themselves to defend against similar future attacks.
π Pro insight: The rapid exploitation of CVE-2026-21509 and CVE-2026-21513 highlights Pawn Storm's advanced operational capabilities and their ongoing threat to critical infrastructure.
