TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities

Hiroyuki Kakara · 2026-03-26 · Read original ↗

ATT&CK techniques detected

18 predictions
T1055.001Dynamic-link Library Injection
100%
“high - fidelity fingerprint for this developer unit. payload extraction and in - memory execution via clr bootstrapping after reconstructing the raw byte stream from the steganographic image, prismexloader performs several critical steps to prepare and execute the. net payload en…”
T1055.001Dynamic-link Library Injection
99%
“is invoked to initialize the clr within the current process context ( explorer. exe ). - in - memory assembly loading : the malware uses system. reflection. assembly. load ( byte [ ] ) to load the. net assembly directly from the in - memory byte array. - entry point invocation : …”
T1546.015Component Object Model Hijacking
97%
“\ devicesync \ { guid } \ background. png. stage 4 : persistence via com hijacking prismexsheet establishes persistence by hijacking a com object that is loaded by explorer. exe : - registry path : hkcu \ software \ classes \ clsid \ { 68ddbb56 - 9d1d - 4fd9 - 89c5 - c0da2a625392…”
T1204.002Malicious File
93%
“. the lnk file embeds an html payload immediately after the standard lnk structure. this payload leverages nested iframes and multiple dom contexts to manipulate trust boundaries. the exploit creates an htmlfile activex object to expose the dom interface, then uses nested about :…”
T1204.001Malicious Link
84%
“connection targets an attacker - controlled webdav server to retrieve and execute a remote. lnk ( shortcut ) file. crucially, this execution occurs without requiring user interaction beyond opening the document, effectively bypassing protected view and standard ole security promp…”
T1203Exploitation for Client Execution
83%
“virustotal on january 30, 2026, while microsoft ' s patch was not released until february 10, 2026. this 11 - day gap confirms zero - day exploitation in the wild. this pattern suggests pawn storm had access to vulnerability details ahead of public disclosure. cve - 2026 - 21509 …”
T1204.002Malicious File
80%
“virustotal on january 30, 2026, while microsoft ' s patch was not released until february 10, 2026. this 11 - day gap confirms zero - day exploitation in the wild. this pattern suggests pawn storm had access to vulnerability details ahead of public disclosure. cve - 2026 - 21509 …”
T1546.015Component Object Model Hijacking
72%
“- length keys derived dynamically at runtime to prevent static extraction. - persistence via com dll hijacking : utilizes a " self - cleaning " persistence method involving a scheduled task and com hijacking. this ensures the malware runs with the privileges of a trusted process …”
T1071Application Layer Protocol
71%
“a steganography loader ( prismexloader ), and a covenant grunt implant ( prismexstager ). covenant is an open - source. net command and control ( c & c ) framework, and grunts are its implant agents that feature dynamic compilation and encrypted command - and - control communicat…”
T1204.002Malicious File
67%
“connection targets an attacker - controlled webdav server to retrieve and execute a remote. lnk ( shortcut ) file. crucially, this execution occurs without requiring user interaction beyond opening the document, effectively bypassing protected view and standard ole security promp…”
T1053.005Scheduled Task
56%
“- length keys derived dynamically at runtime to prevent static extraction. - persistence via com dll hijacking : utilizes a " self - cleaning " persistence method involving a scheduled task and com hijacking. this ensures the malware runs with the privileges of a trusted process …”
T1055.001Dynamic-link Library Injection
52%
“its own file binary into memory. - signature search : uses custom functions searchbytes and searcheb to locate configuration start signatures ( variant - specific ), png image markers ( 89 50 4e 47 0d ), and pe executable markers ( 4d 5a 90 00 03 ). - configuration parsing : the …”
T1001.002Steganography
50%
“modern edr systems through fileless execution, advanced steganography, and abuse of legitimate cloud services. prismex includes the following components, which this section analyzes in detail : - prismexsheet : a malicious excel dropper with vba macros that extracts payloads embe…”
T1102Web Service
41%
“##er static analysis. the malware abuses the legitimate end - to - end encrypted cloud storage service filen. io for c & c communications. by leveraging this trusted service, the malicious traffic blends in with normal encrypted web traffic, effectively bypassing reputation - bas…”
T1665Hide Infrastructure
35%
“cloud infrastructure, and unique steganography, the actor has demonstrated a continued ability to evolve. the strategic focus on targeting the supply chains, weather services, and humanitarian corridors supporting ukraine represents a shift toward operational disruption that may …”
T1190Exploit Public-Facing Application
34%
“pawn storm campaign deploys prismex, targets government and critical infrastructure entities apt & targeted attacks pawn storm campaign deploys prismex, targets government and critical infrastructure entities this blog discusses the steganography, cloud abuse, and email - based b…”
T1496Resource Hijacking
33%
“cloud infrastructure, and unique steganography, the actor has demonstrated a continued ability to evolve. the strategic focus on targeting the supply chains, weather services, and humanitarian corridors supporting ukraine represents a shift toward operational disruption that may …”
T1027.003Steganography
31%
“modern edr systems through fileless execution, advanced steganography, and abuse of legitimate cloud services. prismex includes the following components, which this section analyzes in detail : - prismexsheet : a malicious excel dropper with vba macros that extracts payloads embe…”

Summary

This blog discusses the steganography, cloud abuse, and email-based backdoors used against the Ukrainian defense supply chain in the latest Pawn Storm campaign that TrendAI™ Research observed and analyzed.