Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities

    Thursday, March 26, 2026 In: Threat Research Print

    Date: 03/26/2026

    Severity: Medium

    Summary

    Pawn Storm, a Russia-aligned APT group, is targeting Ukraine’s defense supply chain and allied nations. It deploys PRISMEX, a modular malware suite using steganography, COM hijacking, and cloud-based C2. The group exploited multiple flaws, including a Windows zero-day (CVE-2026-21513). Malicious .lnk files via CVE-2026-21509 may chain with CVE-2026-21513, per Akamai findings. Research has not independently verified this exploit chain linkage. Early infrastructure setup and wiper capabilities indicate both espionage and sabotage intent.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    dbca10b5-63e0-42ec-ad10-de13be96dc42.dnshook.site

    %username%dbca10b5-63e0-42ec-ad10-de13be96dc42.dnshook.site

    %username%.910cf351-a05d-4f67-ab8e-6f62cfa8e26d.dnshook.site

    filen.io

    freefoodaid.com

    longsauce.com

    wellnesscaremed.com

    wellnessmedcare.org

    http://webhook.site/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME

    https://3008.filemail.com/api/file/get?filekey=6ir3NT7t9kNXSp3-IGKKYKDgHqEgyNauI3V4UhsSHWFdjK8qOr8rzQJ63avm4g

    https://gateway.filen.io

    https://gateway.filen.net

    https://gateway.filen-1.net

    https://gateway.filen-2.net

    https://gateway.filen-3.net

    https://gateway.filen-4.net

    https://gateway.filen-5.net

    https://gateway.filen-6.net

    https://egest.filen.io

    https://egest.filen.net

    https://egest.filen-1.net

    https://egest.filen-2.net

    https://egest.filen-3.net

    https://egest.filen-4.net

    https://egest.filen-5.net

    https://egest.filen-6.net

    https://ingest.filen.io

    https://ingest.filen.net

    https://ingest.filen-1.net

    https://ingest.filen-2.net

    https://ingest.filen-3.net

    https://ingest.filen-4.net

    https://ingest.filen-5.net

    https://ingest.filen-6.net

    \\longsauce.com@SSL\DAv/DEFault/data.LnK?init=1

    \\longsauce.com@SSL\davwwwroot\DAv/DEFault/data.LnK?init=1

    file://wellnessmedcare.org@ssl/cz/Downloads/document.LnK?init=1

    file://wellnessmedcare.org/davwwwroot/cz/Downloads/document.LnK?init=1

    \\freefoodaid.com@SSL\tables\tables.lNk?init=1

    \\freefoodaid.com@SSL\davwwwroot\tables\tables.lNk?init=1

    file://wellnesscaremed.com@ssl/buch/Downloads/document.doc.LnK?init=1

    file://wellnesscaremed.com/buch/Downloads/document.doc.LnK?init=1

    file://freefoodaid.com@80/documents/2_2.lNk?init=1

    file://freefoodaid.com/davwwwroot/documents/2_2.lNk?init=1

    file://wellnesscaremed.com@ssl/venezia/Favorites/document.doc.LnK?init=1

    file://wellnesscaremed.com/venezia/Favorites/document.doc.LnK?init=1

    file://wellnessmedcare.org@ssl/pol/Downloads/document.LnK?init=1

    file://wellnessmedcare.org/davwwwroot/pol/Downloads/document.LnK?init=1

    IP Address :

    193.187.148.169 

    23.227.202.14 

    72.62.185.31 

    Email Address :

    dubravka.jovanovic2024@proton.me 

    a.matti444@proton.me 

    TeoAbarquero@tutamail.com 

    UffeTroelsen@atomicmail.io

    File Path : 

    %appdata%\Microsoft\Office\databackup.ini 

    %appdata%\Microsoft\Outlook\VbaProject.OTM 

    %appdata%\Microsoft\Office\VbaProject.OTM 

    C:\ProgramData\izjava o opterecenju zarade preko pola ovjerena - ivan simovic.pdf 

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\EHygbjYHlw.vbs 

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\FYfnahVXea.vbs 

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs 

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2.vbs 

    C:\ProgramData\UGOVORCI FEBRUAR.docx 

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\outlook.vbs 

    C:\ProgramData\testtemp.ini 

    %Temp%\Test 

    %temp%\DEFAULT-786XQ7W-20251022-2145.log 

    %temp%\DEFAULT-3Q7J61W-20251101-1045.log 

    %programdata%\USOShared\Logs\User\adwapi64.dll 

    %programdata%\Microsoft\DeviceSync\8acd6e71-bf10-4800-aeee-7de00edc9781\background.png 

    %PROGRAMDATA%\USOPublic\Data\User\EhStoreShell.dll 

    %PROGRAMDATA%\Microsoft OneDrive\setup\Cache\SplashScreen.png 

    %TEMP%\Diagnostics\office.xml 

    EhStoreShell.dll

    SplashScreen.png

    SimpleDropper.dll

    office.xml

    Email Subject :

    Daily Report 

    Elektronska posta - dostavljeno

    Elektronska posta je zasticena sistemom zastite

    Dostavljam za informaciju za taj dan

    Vulnerability : 

    CVE-2026-21509

    CVE-2026-21513

    Registry Key : 

    HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} 

    Scheduled Task Name :

    OneDriveHealth

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://gateway.filen.net" or url like "https://gateway.filen.net" or siteurl like "https://gateway.filen.net" or domainname like "https://ingest.filen-1.net" or url like "https://ingest.filen-1.net" or siteurl like "https://ingest.filen-1.net" or domainname like "wellnessmedcare.org" or url like "wellnessmedcare.org" or siteurl like "wellnessmedcare.org" or domainname like "https://egest.filen-2.net" or url like "https://egest.filen-2.net" or siteurl like "https://egest.filen-2.net" or domainname like "https://ingest.filen-6.net" or url like "https://ingest.filen-6.net" or siteurl like "https://ingest.filen-6.net" or domainname like "http://webhook.site/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME" or url like "http://webhook.site/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME" or siteurl like "http://webhook.site/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME" or domainname like "https://ingest.filen-2.net" or url like "https://ingest.filen-2.net" or siteurl like "https://ingest.filen-2.net" or domainname like "freefoodaid.com" or url like "freefoodaid.com" or siteurl like "freefoodaid.com" or domainname like "longsauce.com" or url like "longsauce.com" or siteurl like "longsauce.com" or domainname like "https://ingest.filen.net" or url like "https://ingest.filen.net" or siteurl like "https://ingest.filen.net" or domainname like "https://egest.filen-6.net" or url like "https://egest.filen-6.net" or siteurl like "https://egest.filen-6.net" or domainname like "wellnesscaremed.com" or url like "wellnesscaremed.com" or siteurl like "wellnesscaremed.com" or domainname like "https://egest.filen.net" or url like "https://egest.filen.net" or siteurl like "https://egest.filen.net" or domainname like "dbca10b5-63e0-42ec-ad10-de13be96dc42.dnshook.site" or url like "dbca10b5-63e0-42ec-ad10-de13be96dc42.dnshook.site" or siteurl like "dbca10b5-63e0-42ec-ad10-de13be96dc42.dnshook.site" or domainname like "https://egest.filen-1.net" or url like "https://egest.filen-1.net" or siteurl like "https://egest.filen-1.net" or domainname like "%username%dbca10b5-63e0-42ec-ad10-de13be96dc42.dnshook.site" or url like "%username%dbca10b5-63e0-42ec-ad10-de13be96dc42.dnshook.site" or siteurl like "%username%dbca10b5-63e0-42ec-ad10-de13be96dc42.dnshook.site" or domainname like "%username%.910cf351-a05d-4f67-ab8e-6f62cfa8e26d.dnshook.site" or url like "%username%.910cf351-a05d-4f67-ab8e-6f62cfa8e26d.dnshook.site" or siteurl like "%username%.910cf351-a05d-4f67-ab8e-6f62cfa8e26d.dnshook.site" or domainname like "filen.io" or url like "filen.io" or siteurl like "filen.io" or domainname like "https://3008.filemail.com/api/file/get?filekey=6ir3NT7t9kNXSp3-IGKKYKDgHqEgyNauI3V4UhsSHWFdjK8qOr8rzQJ63avm4g" or url like "https://3008.filemail.com/api/file/get?filekey=6ir3NT7t9kNXSp3-IGKKYKDgHqEgyNauI3V4UhsSHWFdjK8qOr8rzQJ63avm4g" or siteurl like "https://3008.filemail.com/api/file/get?filekey=6ir3NT7t9kNXSp3-IGKKYKDgHqEgyNauI3V4UhsSHWFdjK8qOr8rzQJ63avm4g" or domainname like "https://gateway.filen.io" or url like "https://gateway.filen.io" or siteurl like "https://gateway.filen.io" or domainname like "https://gateway.filen-1.net" or url like "https://gateway.filen-1.net" or siteurl like "https://gateway.filen-1.net" or domainname like "https://gateway.filen-2.net" or url like "https://gateway.filen-2.net" or siteurl like "https://gateway.filen-2.net" or domainname like "https://gateway.filen-3.net" or url like "https://gateway.filen-3.net" or siteurl like "https://gateway.filen-3.net" or domainname like "https://gateway.filen-4.net" or url like "https://gateway.filen-4.net" or siteurl like "https://gateway.filen-4.net" or domainname like "https://gateway.filen-5.net" or url like "https://gateway.filen-5.net" or siteurl like "https://gateway.filen-5.net" or domainname like "https://gateway.filen-6.net" or url like "https://gateway.filen-6.net" or siteurl like "https://gateway.filen-6.net" or domainname like "https://egest.filen.io" or url like "https://egest.filen.io" or siteurl like "https://egest.filen.io" 

    Detection Query 2 :

    domainname like "https://egest.filen-3.net" or url like "https://egest.filen-3.net" or siteurl like "https://egest.filen-3.net" or domainname like "https://egest.filen-4.net" or url like "https://egest.filen-4.net" or siteurl like "https://egest.filen-4.net" or domainname like "https://egest.filen-5.net" or url like "https://egest.filen-5.net" or siteurl like "https://egest.filen-5.net" or domainname like "https://ingest.filen.io" or url like "https://ingest.filen.io" or siteurl like "https://ingest.filen.io" or domainname like "https://ingest.filen-3.net" or url like "https://ingest.filen-3.net" or siteurl like "https://ingest.filen-3.net" or domainname like "https://ingest.filen-4.net" or url like "https://ingest.filen-4.net" or siteurl like "https://ingest.filen-4.net" or domainname like "https://ingest.filen-5.net" or url like "https://ingest.filen-5.net" or siteurl like "https://ingest.filen-5.net" or domainname like "file://wellnessmedcare.org/davwwwroot/pol/Downloads/document.LnK?init=1" or url like "file://wellnessmedcare.org/davwwwroot/pol/Downloads/document.LnK?init=1" or siteurl like "file://wellnessmedcare.org/davwwwroot/pol/Downloads/document.LnK?init=1" or domainname like "file://wellnessmedcare.org@ssl/pol/Downloads/document.LnK?init=1" or url like "file://wellnessmedcare.org@ssl/pol/Downloads/document.LnK?init=1" or siteurl like "file://wellnessmedcare.org@ssl/pol/Downloads/document.LnK?init=1" or domainname like "file://wellnesscaremed.com/venezia/Favorites/document.doc.LnK?init=1" or url like "file://wellnesscaremed.com/venezia/Favorites/document.doc.LnK?init=1" or siteurl like "file://wellnesscaremed.com/venezia/Favorites/document.doc.LnK?init=1" or domainname like "file://wellnesscaremed.com@ssl/venezia/Favorites/document.doc.LnK?init=" or url like "file://wellnesscaremed.com@ssl/venezia/Favorites/document.doc.LnK?init=" or siteurl like "file://wellnesscaremed.com@ssl/venezia/Favorites/document.doc.LnK?init=" or domainname like "file://freefoodaid.com/davwwwroot/documents/2_2.lNk?init=1" or url like "file://freefoodaid.com/davwwwroot/documents/2_2.lNk?init=1" or siteurl like "file://freefoodaid.com/davwwwroot/documents/2_2.lNk?init=1" or domainname like "file://freefoodaid.com@80/documents/2_2.lNk?init=1" or url like "file://freefoodaid.com@80/documents/2_2.lNk?init=1" or siteurl like "file://freefoodaid.com@80/documents/2_2.lNk?init=1" or domainname like "file://wellnesscaremed.com/buch/Downloads/document.doc.LnK?init=1" or url like "file://wellnesscaremed.com/buch/Downloads/document.doc.LnK?init=1" or siteurl like "file://wellnesscaremed.com/buch/Downloads/document.doc.LnK?init=1" or domainname like "file://wellnesscaremed.com@ssl/buch/Downloads/document.doc.LnK?init=1" or url like "file://wellnesscaremed.com@ssl/buch/Downloads/document.doc.LnK?init=1" or siteurl like "file://wellnesscaremed.com@ssl/buch/Downloads/document.doc.LnK?init=1" or domainname like "\freefoodaid.com@SSL\davwwwroot\tables\tables.lNk?init=1" or url like "\freefoodaid.com@SSL\davwwwroot\tables\tables.lNk?init=1" or siteurl like "\freefoodaid.com@SSL\davwwwroot\tables\tables.lNk?init=1" or domainname like "\freefoodaid.com@SSL\tables\tables.lNk?init=1" or url like "\freefoodaid.com@SSL\tables\tables.lNk?init=1" or siteurl like "\freefoodaid.com@SSL\tables\tables.lNk?init=1" or domainname like "file://wellnessmedcare.org/davwwwroot/cz/Downloads/document.LnK?init=1" or url like "file://wellnessmedcare.org/davwwwroot/cz/Downloads/document.LnK?init=1" or siteurl like "file://wellnessmedcare.org/davwwwroot/cz/Downloads/document.LnK?init=1" or domainname like "file://wellnessmedcare.org@ssl/cz/Downloads/document.LnK?init=1" or url like "file://wellnessmedcare.org@ssl/cz/Downloads/document.LnK?init=1" or siteurl like "file://wellnessmedcare.org@ssl/cz/Downloads/document.LnK?init=1" or domainname like "\longsauce.com@SSL\davwwwroot\DAv/DEFault/data.LnK?init=1" or url like "\longsauce.com@SSL\davwwwroot\DAv/DEFault/data.LnK?init=1" or siteurl like "\longsauce.com@SSL\davwwwroot\DAv/DEFault/data.LnK?init=1" or domainname like "\longsauce.com@SSL\DAv/DEFault/data.LnK?init=1" or url like "\longsauce.com@SSL\DAv/DEFault/data.LnK?init=1" or siteurl like "\longsauce.com@SSL\DAv/DEFault/data.LnK?init=1"

    Detection Query 3 :

    dstipaddress IN ("23.227.202.14","72.62.185.31","193.187.148.169") or srcipaddress IN ("23.227.202.14","72.62.185.31","193.187.148.169")

    Detection Query 4 :

    sender IN ("dubravka.jovanovic2024@proton.me","a.matti444@proton.me","TeoAbarquero@tutamail.com","UffeTroelsen@atomicmail.io") or recipient IN ("dubravka.jovanovic2024@proton.me","a.matti444@proton.me","TeoAbarquero@tutamail.com","UffeTroelsen@atomicmail.io") or From IN ("dubravka.jovanovic2024@proton.me","a.matti444@proton.me","TeoAbarquero@tutamail.com","UffeTroelsen@atomicmail.io")

    Detection Query 5 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("%appdata%\Microsoft\Office\databackup.ini","%appdata%\Microsoft\Outlook\VbaProject.OTM","%appdata%\Microsoft\Office\VbaProject.OTM","C:\ProgramData\izjava o opterecenju zarade preko pola ovjerena - ivan simovic.pdf","%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\EHygbjYHlw.vbs","%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\FYfnahVXea.vbs","%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs 

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2.vbs","C:\ProgramData\UGOVORCI FEBRUAR.docx","%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\outlook.vbs","C:\ProgramData\testtemp.ini","%Temp%\Test","%temp%\DEFAULT-786XQ7W-20251022-2145.log","%temp%\DEFAULT-3Q7J61W-20251101-1045.log","%programdata%\USOShared\Logs\User\adwapi64.dll","%programdata%\Microsoft\DeviceSync\8acd6e71-bf10-4800-aeee-7de00edc9781\background.png","%PROGRAMDATA%\USOPublic\Data\User\EhStoreShell.dll","%PROGRAMDATA%\Microsoft OneDrive\setup\Cache\SplashScreen.png","%TEMP%\Diagnostics\office.xml","EhStoreShell.dll","SplashScreen.png","SimpleDropper.dll","office.xml")

    Detection Query 6 :

    technologygroup = "EDR" and objectname IN ("%appdata%\Microsoft\Office\databackup.ini","%appdata%\Microsoft\Outlook\VbaProject.OTM","%appdata%\Microsoft\Office\VbaProject.OTM","C:\ProgramData\izjava o opterecenju zarade preko pola ovjerena - ivan simovic.pdf","%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\EHygbjYHlw.vbs","%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\FYfnahVXea.vbs","%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs 

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2.vbs","C:\ProgramData\UGOVORCI FEBRUAR.docx","%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\outlook.vbs","C:\ProgramData\testtemp.ini","%Temp%\Test","%temp%\DEFAULT-786XQ7W-20251022-2145.log","%temp%\DEFAULT-3Q7J61W-20251101-1045.log","%programdata%\USOShared\Logs\User\adwapi64.dll","%programdata%\Microsoft\DeviceSync\8acd6e71-bf10-4800-aeee-7de00edc9781\background.png","%PROGRAMDATA%\USOPublic\Data\User\EhStoreShell.dll","%PROGRAMDATA%\Microsoft OneDrive\setup\Cache\SplashScreen.png","%TEMP%\Diagnostics\office.xml","EhStoreShell.dll","SplashScreen.png","SimpleDropper.dll","office.xml")

    Detection Query 7 :

    subject IN ("Daily Report","Elektronska posta - dostavljeno","Elektronska posta je zasticena sistemom zastite","Dostavljam za informaciju za taj dan")

    Detection Query 8 :

    resourcename = "Windows Security" and eventtype = "4657" and objectname IN ("HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}")

    Detection Query 9 :

    technologygroup = "EDR" and objectname IN ("HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}")

    Detection Query 10 :

    resourcename = "Windows Security" and eventtype = "4698" and taskname like "OneDriveHealth"

    Detection Query 11 :

    technologygroup = "EDR" and taskname like "OneDriveHealth"

    Reference:     

    https://www.trendmicro.com/en_us/research/26/c/pawn-storm-targets-govt-infra.html


    Tags

    MalwareVulnerabilityGovernment Services and FacilitiesCritical InfrastructureAPTUkraineSteganographyCVE-2026ExploitRussiaSupply chain attackZero-day

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.