Steganography & Sabotage: Inside Pawn Storm’s PRISMEX Offensive Against NATO Logistics

The notorious Russia-aligned threat actor known as Pawn Storm (also recognized as APT28, Fancy Bear, and Forest Blizzard) has significantly escalated its cyber operations in early 2026. According to a comprehensive new report from Trend Micro, the group is now deploying a sophisticated, interconnected malware suite dubbed PRISMEX. This campaign is specifically designed to dismantle the operational backbone of Ukrainian defense and Western military aid infrastructure.

A highlight of this latest offensive is the group’s “notoriety in leveraging newly disclosed vulnerabilities and rapidly weaponizing N-day exploits”. Pawn Storm has been observed exploiting a critical Windows zero-day (CVE-2026-21513) in the MSHTML Framework alongside a security feature bypass in Microsoft Office (CVE-2026-21509).

Researchers noted that “Infrastructure preparations was observed to have begun two weeks before the CVE-2026-21509 disclosure, indicating advance knowledge”. By the time a patch was released on February 10, 2026, the group had already been exploiting these flaws in the wild for 11 days.

PRISMEX is not a single piece of code but a collection of components that work in tandem to evade modern Endpoint Detection and Response (EDR) systems. The suite includes:

• PrismexSheet: A malicious Excel dropper that uses steganography to hide payloads within binary data.
• PrismexDrop: A native dropper that establishes persistence through COM hijacking, effectively allowing the malware to run with the privileges of trusted processes like explorer.exe.
• PrismexLoader: A DLL that extracts payloads using a unique “Bit Plane Round Robin” algorithm.
• PrismexStager: A stager that abuses the legitimate cloud service Filen.io for command-and-control (C2) communications, allowing malicious traffic to blend into normal web activity.

Trend Micro describes the synergy of these tools as coherent infection chains designed for “fileless execution, advanced steganography, and abuse of legitimate cloud services”.

The campaign’s steganography is particularly advanced, distributing payloads across entire images to remain invisible to casual inspection. This stealth supports a highly strategic targeting pattern. Beyond Ukraine’s central executive bodies, Pawn Storm is striking NATO logistics hubs and military allies.

Targeted sectors include:

• Poland: Focused on rail logistics, as it serves as the primary transit hub for Western military aid.
• Romania, Slovenia, and Turkey: Targeting maritime and transport sectors critical for Black Sea supply routes.
• Czech Republic and Slovakia: Aimed at political and logistical partners involved in ammunition initiatives.

This operation confirms that Pawn Storm remains one of the most aggressive intrusion sets active today. With functionality covering both espionage and potential sabotage—including wiper commands—the risk to the defense supply chain is severe.