Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Pawn Storm, the Russian state-sponsored threat group also tracked as APT28, Sofacy, Fancy Bear, and Forest Blizzard, conducted a sophisticated cyber espionage campaign beginning in September 2025 that weaponized two zero-day vulnerabilities in a coordinated exploit chain targeting Ukrainian government entities, military organizations, and NATO-linked critical infrastructure across Turkey, Central and Eastern Europe. This campaign represents an evolution in Pawn Storm’s operational methodology, chaining CVE-2026-21509 (Microsoft Office security feature bypass) with CVE-2026-21513 (Microsoft MSHTML framework protection mechanism failure) to achieve silent, fileless compromise of high-value targets through weaponized document attachments.
The attack campaign employed highly targeted spear-phishing operations delivering contextually relevant emails disguised as urgent communications including hydro-meteorological alerts, military training invitations, and weapon smuggling warnings. These socially engineered lures carried malicious RTF attachments embedding crafted OLE objects that exploited CVE-2026-21509, a vulnerability in Microsoft Office’s OLE allowlist mechanism. By abusing this flaw, the weaponized documents silently instantiated the Shell.Explorer.1 COM object, triggering outbound connections to attacker-controlled WebDAV servers and executing remote .lnk files while completely bypassing Microsoft Office Protected View and user prompt mechanisms.
The exploitation chain escalated through CVE-2026-21513, a protection mechanism failure in the Microsoft MSHTML framework. The remotely executed .lnk files delivered embedded HTML payloads that manipulated browser trust boundaries using nested iframes and multiple DOM contexts. By exploiting weak URL validation within ieframe.dll, the attack chain forced code execution via ShellExecuteExW, effectively bypassing browser security constraints. The coordinated use of shared command-and-control infrastructure across both vulnerability exploits strongly indicates deliberate chaining in a two-stage attack architecture designed to maximize stealth and minimize detection opportunities.
Following successful exploitation, victims were funneled into one of two sophisticated malware deployment pathways: the PRISMEX suite or the MiniDoor infection chain. The PRISMEX pathway demonstrated advanced technical sophistication, beginning with PrismexSheet, an obfuscated Excel-based dropper concealing payloads within its own binary structure using steganographic techniques. Victims were distracted with decoy content themed around Ukrainian military drone inventories and supplier pricing while persistence mechanisms were established through COM hijacking, modifying registry entries to load malicious DLLs during system initialization.
The PRISMEX suite incorporated multiple sophisticated components including PrismexDrop, which decrypted embedded payloads using rolling XOR routines before planting them in system directories and establishing persistence via scheduled tasks and additional COM hijacking tied to explorer.exe. PrismexLoader represented the technical centerpiece of the operation, masquerading as legitimate Windows DLLs while implementing a custom “Bit Plane Round Robin” steganography method that reconstructed malicious payloads from PNG images by distributing data across multiple file layers, a technique rarely observed outside Pawn Storm’s operational toolset.
The final stage deployed PrismexStager, a Covenant-based implant leveraging encrypted cloud storage services including Filen.io for resilient command-and-control communications. By distributing infrastructure across multiple domains and cloud platforms, Pawn Storm ensured operational resilience and stealth. Significantly, the campaign demonstrated dual-use capability extending beyond espionage, with at least one observed case involving destructive commands that completely wiped user data. This dual-purpose intent underscores Pawn Storm’s operational flexibility: not merely to infiltrate and observe, but to disrupt and damage when strategic objectives require destructive effects.
The campaign’s targeting focused on Ukrainian government bodies, defense units, meteorological agencies, NATO-linked logistics networks, emergency services, hydrometeorology organizations, rail logistics, maritime and transport sectors, and humanitarian aid organizations. This targeting pattern aligns with Russian strategic intelligence priorities during the ongoing conflict in Ukraine and reflects Pawn Storm’s mandate to support Russian military operations through cyber espionage and potential pre-positioning for disruptive operations.
Both CVE-2026-21509 and CVE-2026-21513 have been added to CISA’s Known Exploited Vulnerabilities catalog, mandating remediation for U.S. federal civilian executive branch agencies and strongly recommending patching for all organizations. Microsoft released patches for both vulnerabilities, though the extended period of zero-day exploitation before discovery allowed Pawn Storm to achieve significant intelligence collection across targeted sectors.
Pawn Storm’s dual zero-day campaign began in September 2025 with carefully orchestrated spear-phishing operations targeting high-value entities across Ukrainian government, military, and NATO-linked infrastructure. The threat actors demonstrated sophisticated understanding of victim operational contexts, crafting lures that aligned with legitimate organizational concerns and ongoing situational awareness requirements. Email themes included hydro-meteorological alerts relevant to government weather monitoring agencies, military training invitations targeting defense personnel, and weapon smuggling warnings designed to engage law enforcement and border security officials.
The malicious RTF attachments served as the initial attack vector, embedding crafted OLE objects designed to exploit CVE-2026-21509. This Microsoft Office security feature bypass vulnerability affects the OLE object allowlist mechanism, which is intended to prevent potentially dangerous COM objects from being instantiated when opening untrusted documents. By crafting specific OLE object parameters, Pawn Storm bypassed this security control, allowing the weaponized document to silently instantiate the Shell.Explorer.1 COM object without triggering Protected View or displaying security warnings to the victim.
The Shell.Explorer.1 COM object provided Pawn Storm with the capability to initiate outbound network connections from within the context of the opened Office document. The exploit triggered connections to attacker-controlled WebDAV servers, which are web-based distributed authoring and versioning servers that support remote file access over HTTP/HTTPS protocols. The WebDAV server hosted malicious .lnk files that were automatically downloaded and executed when the exploited Office document loaded the crafted OLE object, effectively achieving code execution without requiring any user interaction beyond opening the email attachment.
The second stage of the exploit chain leveraged CVE-2026-21513, a protection mechanism failure in the Microsoft MSHTML framework. This vulnerability affects the Internet Explorer rendering engine components that remain integrated into Windows for backward compatibility and are utilized by various system components including Windows Explorer for rendering HTML content. The remotely executed .lnk files contained embedded HTML payloads specifically crafted to exploit weaknesses in MSHTML’s trust boundary enforcement mechanisms.
The HTML payload utilized nested iframe structures and multiple Document Object Model contexts to manipulate browser security zones and trust boundaries. By exploiting weak URL validation within ieframe.dll, the core Internet Explorer frame library, Pawn Storm forced the execution of attacker-specified code via ShellExecuteExW, a Windows API function that launches applications or opens documents. This technique effectively bypassed browser security constraints that would normally prevent untrusted web content from executing arbitrary code on the system.
The coordinated use of shared command-and-control infrastructure across both CVE-2026-21509 and CVE-2026-21513 exploits strongly indicates deliberate architectural design for a two-stage attack chain. Rather than being opportunistic exploitation of separate vulnerabilities, the campaign demonstrates intentional chaining where the first vulnerability enables initial code execution, while the second vulnerability escalates that execution into persistent system compromise. This level of coordination requires significant technical sophistication and suggests dedicated exploit development resources focused on achieving reliable, stealthy compromise of targeted systems.
Victims successfully compromised through the dual zero-day exploit chain were directed into one of two malware deployment pathways, with the PRISMEX suite representing the more technically sophisticated option. The infection typically began with PrismexSheet, an obfuscated Excel-based dropper that concealed malicious payloads within its own binary structure using steganographic data hiding techniques. To maintain operational security and reduce victim suspicion, PrismexSheet displayed decoy content themed around Ukrainian military assets, specifically drone inventories and supplier pricing information relevant to defense procurement operations.
Persistence establishment utilized COM hijacking techniques, a method that exploits the Windows Component Object Model registration system to achieve automatic execution of malicious code. By modifying specific registry entries under HKEY_CURRENT_USER\Software\Classes\CLSID, Pawn Storm configured the system to load malicious DLLs whenever legitimate system processes attempted to instantiate specific COM objects. This technique provides reliable persistence that survives system reboots while maintaining stealth, as the malicious code executes within the context of legitimate system processes rather than as standalone suspicious executables.
An alternative loader designated PrismexDrop employed rolling XOR encryption routines to decrypt embedded payloads at runtime. XOR-based encryption provides sufficient obfuscation to evade signature-based antivirus detection while remaining computationally efficient for decryption during execution. Following decryption, PrismexDrop planted malicious components in system directories including locations under %PROGRAMDATA% and %APPDATA%, then established multiple persistence mechanisms including scheduled tasks configured to execute at system startup and additional COM hijacking entries tied to explorer.exe, the Windows shell process that runs continuously during user sessions.
The technical sophistication of the PRISMEX suite peaked with PrismexLoader, which implemented a custom steganographic technique designated “Bit Plane Round Robin.” This novel data hiding method reconstructed malicious payloads from seemingly benign PNG image files by distributing payload data across multiple bit planes within the image structure. Rather than embedding data in a single layer or using simple least-significant-bit steganography, the Bit Plane Round Robin technique distributes data across the entire image in a round-robin pattern, significantly increasing the difficulty of detection through statistical analysis or visual inspection. This steganographic sophistication represents a distinctive technical signature rarely observed outside Pawn Storm operations.
PrismexLoader incorporated advanced fileless execution techniques designed to minimize forensic artifacts and evade endpoint detection solutions. Rather than writing the final payload executable to disk where it could be discovered by file scanning or forensic analysis, PrismexLoader initialized the .NET Common Language Runtime directly within memory. This in-memory CLR initialization allowed execution of .NET-based malware components without creating corresponding files on the filesystem.
The loader employed reflective loading techniques, a method that loads executable code from memory buffers rather than from files on disk. By loading assemblies directly from byte arrays in memory, PrismexLoader executed the payload completely in RAM, leaving minimal forensic evidence of the compromise. This fileless approach significantly reduces visibility to traditional antivirus solutions that primarily scan files on disk, and complicates incident response and forensic analysis by limiting the artifacts available for investigation.
The use of .NET-based payloads reflects a strategic choice by Pawn Storm to leverage frameworks and languages that are present by default on Windows systems, reducing the need to deliver and execute custom compiled binaries that might trigger security alerts. The .NET Framework is installed on virtually all modern Windows systems, making .NET assemblies an attractive choice for malware authors seeking broad compatibility and reliable execution across diverse target environments.
The final stage of the PRISMEX infection chain deployed PrismexStager, a Covenant-based implant representing Pawn Storm’s adoption of open-source command-and-control frameworks. Covenant is a publicly available C2 framework designed for adversary simulation and penetration testing, offering features including encrypted communications, task execution, and payload delivery. Pawn Storm’s use of Covenant, first documented in their operations during 2024, demonstrates a trend among state-sponsored actors toward adopting and adapting publicly available offensive security tools rather than exclusively developing custom proprietary malware.
PrismexStager leveraged encrypted cloud storage services, specifically Filen.io, for command-and-control communications. This technique, often designated “cloud-based C2” or “living off trusted services,” provides several operational advantages for threat actors. Cloud storage platforms typically maintain strong reputations and are rarely blocked by corporate firewalls or web proxies, allowing malicious traffic to blend with legitimate business use of cloud services. The encryption provided by the cloud platform itself adds an additional layer of obfuscation, making network-based detection of command-and-control traffic significantly more challenging.
By distributing command-and-control infrastructure across multiple domains and cloud service providers, Pawn Storm ensured operational resilience against takedown attempts and network-based blocking. If defenders identify and block one C2 domain or cloud service, the implant can automatically fail over to alternative infrastructure, maintaining persistent access to compromised systems. This redundancy demonstrates sophisticated operational planning and infrastructure management capabilities consistent with well-resourced state-sponsored operations.
While the PRISMEX campaign primarily focused on espionage and intelligence collection, at least one observed case documented destructive capabilities where the malware issued commands that completely wiped user data from compromised systems. This destructive functionality reveals Pawn Storm’s dual-use operational intent: the infrastructure and implants deployed for intelligence collection can be immediately repurposed for disruptive or destructive effects when strategic priorities shift or specific operational requirements demand data destruction rather than exfiltration.
The capability to transition from espionage to disruption without deploying additional malware or tools provides Pawn Storm with significant operational flexibility. During peacetime or periods of strategic intelligence collection, the infrastructure operates in passive collection mode, exfiltrating sensitive documents, communications, and operational data. However, during periods of heightened conflict or when specific targets require disruption rather than observation, the same infrastructure can be commanded to execute destructive payloads, delete critical data, or disrupt operations without requiring new intrusion operations or additional compromise vectors.
This dual-purpose capability aligns with broader Russian cyber operations doctrine, which emphasizes pre-positioning access within adversary networks during peacetime while retaining the capability to activate disruptive or destructive effects when geopolitical circumstances warrant escalation. The integration of destructive capabilities within intelligence collection infrastructure ensures that Pawn Storm maintains the ability to rapidly shift operational focus from espionage to attack without telegraphing intent through observable changes in tactics or infrastructure deployment.
It is important to note that elements of this campaign were previously tracked under the designation Operation Neusploit, indicating that threat intelligence community had partial visibility into Pawn Storm activities before the full scope and technical sophistication of the dual zero-day chain became apparent. The retrospective linking of Operation Neusploit to this broader campaign demonstrates the challenge of tracking sophisticated state-sponsored operations where attackers deliberately compartmentalize infrastructure and operations to complicate attribution and analysis.
Pawn Storm’s adoption of the Covenant open-source command-and-control framework represents a broader trend observed across multiple state-sponsored actors. Rather than exclusively relying on custom-developed proprietary malware that might be uniquely attributable, sophisticated threat groups increasingly incorporate publicly available offensive security tools, penetration testing frameworks, and red team utilities into their operations. This approach provides several advantages including reduced development costs, access to well-tested and feature-rich capabilities, and increased difficulty in attribution since the same tools are used by legitimate security professionals, criminal actors, and multiple state-sponsored groups simultaneously.
The use of Covenant was first documented in Pawn Storm operations during 2024, indicating approximately two years of operational experience with the framework by the time of this campaign. This extended period of framework adoption suggests Pawn Storm has developed significant expertise in customizing, deploying, and operating Covenant infrastructure, likely including modifications to evade detection signatures and integration with their broader operational toolsets and procedures.
Organizations must prioritize immediate remediation of both CVE-2026-21509 and CVE-2026-21513 across their entire Microsoft Office and Windows installation base. Both vulnerabilities are listed in CISA’s Known Exploited Vulnerabilities catalog with mandatory remediation deadlines for federal civilian executive branch agencies. Microsoft has released patches addressing both vulnerabilities through their regular update channels. Security teams should verify patch deployment across all endpoints, with particular priority for systems used by personnel in government, defense, critical infrastructure, and sectors targeted by Pawn Storm operations.
Organizations must implement and enforce strict macro execution policies for Microsoft Office files, particularly those originating from external sources. Group Policy settings should be configured to block VBA macro execution for documents downloaded from the internet or received via email, as indicated by the Mark of the Web file attribute that Windows applies to files from untrusted sources. This configuration prevents PrismexSheet and similar Excel-based droppers from executing malicious macro code even if users are socially engineered into opening weaponized documents.
Email security gateways should be configured to block or quarantine RTF (Rich Text Format) attachments, which served as the primary delivery mechanism for CVE-2026-21509 exploitation in this campaign. While RTF files can contain legitimate content, their use in modern business environments is relatively rare compared to more common formats like DOCX, PDF, and XLSX. Organizations should evaluate whether RTF files are necessary for business operations and, if not required, implement blanket blocking policies. Additionally, enhanced logging should be enabled for Outlook VBA macro execution, and VBA projects should be audited for unauthorized modifications that might indicate compromise.
Security teams must deploy endpoint detection rules specifically configured to identify unusual Common Language Runtime initialization patterns in processes that do not normally execute .NET code. Particular attention should be paid to explorer.exe loading clr.dll or mscorlib.dll, as these DLL loads indicate in-memory .NET assembly execution consistent with PrismexLoader’s fileless execution techniques. The Microsoft-Windows-DotNETRuntime Event Tracing for Windows provider should be enabled to detect assembly loads occurring from byte arrays rather than file paths, which is a strong indicator of reflective loading techniques used to evade file-based detection.
Organizations should deploy security solutions capable of analyzing image files for anomalous entropy patterns and statistical characteristics indicative of steganographic data hiding. PrismexLoader’s Bit Plane Round Robin technique distributes malicious payloads across entire PNG image structures, creating subtle statistical anomalies that can be detected through proper analysis. Email security gateways and endpoint protection solutions should incorporate steganography detection modules that analyze image attachments and downloads for suspicious entropy distributions, unusual bit patterns, or statistical characteristics inconsistent with legitimate photographs or graphics.
Security teams should review and restrict access to non-business-essential cloud storage platforms at perimeter firewalls and web proxy infrastructure. Organizations should maintain explicit allowlists of approved cloud storage services required for legitimate business operations, while blocking or heavily monitoring access to services not required for organizational functions. Specific attention should be paid to Filen.io traffic, as the PRISMEX campaign demonstrated abuse of this platform for command-and-control communications. Unless Filen.io is explicitly required for business operations, organizations should block access to this service at network boundaries and monitor for any connection attempts that might indicate compromised systems attempting to establish C2 channels.
T1566: Phishing
T1059: Command and Scripting Interpreter
T1204: User Execution
T1546: Event Triggered Execution
T1053: Scheduled Task/Job
T1574: Hijack Execution Flow
T1027: Obfuscated Files or Information
T1055: Process Injection
T1553: Subvert Trust Controls
T1114: Email Collection
T1071: Application Layer Protocol
T1102: Web Service
T1048: Exfiltration Over Alternative Protocol
(Due to the extensive list of IOCs spanning multiple pages, I’ll provide key categories. The full list is available in the PDF.)
Get through updates and upcoming events, and more directly in your inbox