{"id":60376,"date":"2026-03-26T00:00:00","date_gmt":"2026-03-26T00:00:00","guid":{"rendered":"urn:uuid:37b12a6b-9e12-4a63-a80b-f1c8c060ee76"},"modified":"2026-03-26T00:00:00","modified_gmt":"2026-03-26T00:00:00","slug":"pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/","title":{"rendered":"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/c\/pawn-storm-malware.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><span class=\"body-subhead-title\">Attribution analysis\u202f<\/span><\/p>\n<p>Based on technical artifacts, infrastructure overlaps, and victimology, TrendAI\u2122 Research attributes this campaign to\u202fPawn Storm with\u202fhigh confidence. This assessment is significantly bolstered by threat hunting data and internal telemetry that correlates the PRISMEX components with specific\u202fprevious\u202foperations\u202fmonitored\u202fby\u202fTrendAI\u2122.\u202f<\/p>\n<p>This attribution applies\u202fthe threat attribution framework of TrendAI\u2122, which uses an adapted version of the Diamond Model to anchor observations across four interdependent nodes (adversary, capability, infrastructure, and victim), an evidence-based scoring system to measure the strength of each piece of information, and Analysis of Competing Hypotheses (ACH) to test conclusions against alternative explanations.<\/p>\n<p>For details on our\u202fmethodology, see\u202f<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/threat-attribution-framework-how-trendai-applies-structure-over-speculation\">Threat Attribution Framework: How TrendAI\u2122 Applies Structure Over Speculation<\/a>.\u202f<\/p>\n<p><b>Capability node\u202f<\/b><\/p>\n<p>Custom tooling requires development effort and often persists across campaigns, making it a strong indicator of actor capability:\u202f<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Identical steganography algorithm: <span>The &#8220;Bit Plane Round Robin&#8221; implementation is functionally identical across the October 2025 and January 2026 campaigns. This unique algorithm has not been\u202fobserved\u202fin any other\u202fthreat\u202factor&#8217;s toolkit.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">MiniDoor\/NotDoor\u202flineage: <span>According to Zscaler\u202fThreatLabz, the\u202fMiniDoor\u202fbackdoor deployed in this campaign is a variant of\u202fNotDoor,\u202fdemonstrating\u202fcontinuity in malware development. This assessment aligns with our own analysis of the malware lineage.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Covenant Grunt Deployment: <span>The use of the Covenant C2 framework with identical configuration patterns links these campaigns.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">COM Hijacking persistence: <span>The use of COM DLL hijacking for persistence is a documented Pawn Storm TTP.\u202f<\/span><\/span><\/li>\n<\/ul>\n<p><b>Infrastructure node\u202f<\/b><\/p>\n<p>Infrastructure choices that persist over time carry more weight than disposable indicators:\u202f<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Filen.io abuse pattern: <span>The abuse of Filen.io with a specific 24-domain redundancy structure is consistent across campaigns.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Infrastructure pre-positioning: <span>Domain registration two weeks before vulnerability disclosure\u202findicates\u202fadvance planning capabilities.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">CVE-2026-21513 infrastructure overlap: <span>The exploit sample uses the same infrastructure as the CVE-2026-21509 campaign, providing corroboration.\u202f<\/span><\/span><\/li>\n<\/ul>\n<p><b>Adversary node\u202f<\/b><\/p>\n<p>Certain behaviors and operational patterns recur across campaigns:\u202f<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Working hours: <span>Malware compilation timestamps cluster between 07:00-17:00 UTC, consistent with Moscow time (UTC+3).\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Rapid weaponization: <span>The campaign commenced almost immediately following CVE-2026-21509 patch availability, consistent with Pawn Storm&#8217;s known operational tempo. <\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Multi-language development: <span>The use of Go, .NET, and native code within single campaigns is a characteristic Pawn Storm pattern.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">CVE-2026-21513 zero-day: <span>Exploited at least\u202f11 days\u202fbefore the February 10,\u202f2026\u202fpatch release.\u202f<\/span><\/span><\/li>\n<\/ul>\n<p><b>Victim node\u202f<\/b><\/p>\n<p>Repeated victim\u202fselection\u202freflects strategic intent:\u202f<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Victim profile alignment: <span>Ukrainian government and military, NATO\u202flogistics\u202finfrastructure, and humanitarian organizations supporting Ukraine align with Pawn Storm&#8217;s documented targeting history since 2014.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Regional presence: <span>The use of compromised accounts from law enforcement, parliamentary, and military education institutions in Romania and Slovakia\u202fdemonstrates\u202fthe actor&#8217;s established presence in these regions.\u202f<\/span><\/span><\/li>\n<\/ul>\n<p><b>Confidence assessment\u202f<\/b><\/p>\n<p>Evidence aligns across all four Diamond Model nodes. Alternative hypotheses, including false flag operations and tool sharing scenarios, were tested through ACH and found inconsistent with the totality of evidence. The unique steganography algorithm and\u202fMiniDoor\/NotDoor\u202fmalware lineage serve as primary attribution anchors, as these are not tools available on underground markets or shared between groups. This convergence of evidence across capability, infrastructure, adversary behavior, and victimology supports our high-confidence attribution to Pawn Storm.\u202f<\/p>\n<p><b>Strategic assessment\u202f<\/b><\/p>\n<p>The timing and targeting of these campaigns reflect a shift in Russian military intelligence priorities toward operational and tactical disruption of Ukrainian\u202flogistics, rather than purely strategic political intelligence.\u202f<\/p>\n<p><b>In the context of 2026\u202f<\/b><\/p>\n<p>As the geopolitical conflict between involved territories enters its\u202ffifth\u202fyear, the static nature of front lines has elevated the importance of ancillary support systems:\u202f<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Weather warfare: <span>Accurate hydrometeorological data is crucial for drone operability, artillery trajectory planning, and assessing ground trafficability during mud season. Compromising the national hydrometeorological service provides insight into Ukraine&#8217;s ability to conduct offensive maneuvers in specific windows.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Supply chain intelligence: <span>Targeting Polish rail infrastructure and Romanian\/Slovenian transport entities suggests intent to map, track, and potentially sabotage the flow of Western materiel into Ukraine.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Humanitarian disruption: <span>Targeting aid organizations may serve to gather intelligence on Western support efforts and disrupt the flow of humanitarian\u202fassistance.\u202f<\/span><\/span><\/li>\n<\/ul>\n<p><b>Potential for destructive operations\u202f<\/b><\/p>\n<p>The deployment of\u202fthe post-exploitation framework Covenant\u202fGrunt indicates\u202fintent to move laterally within compromised networks. Access to a rail\u202flogistics\u202fnetwork or a national weather service could be used not just for data theft, but as a beachhead for destructive attacks (which could include but is not limited to wiping servers or falsifying data) timed to coincide with kinetic military operations.\u202f<\/p>\n<p>TrendAI\u2122 Research analysis of the October 2025 campaign observed\u202fnot only information-gathering tasks but also a destructive wiper command that\u202fdeleted\u202fall files under %USERPROFILE%. This dual capability confirms that these campaigns may serve both espionage and sabotage\u202fobjectives.\u202f<\/p>\n<p><span class=\"body-subhead-title\">Conclusion and risk management guidance\u202f<\/span><\/p>\n<p>The PRISMEX components\u202frepresent\u202fa capable and stealthy addition to Pawn Storm&#8217;s arsenal.\u202fBy combining zero-day exploitation (CVE-2026-21513) with rapid weaponization of newly disclosed vulnerabilities (CVE-2026-21509), valid cloud infrastructure, and unique steganography, the actor has\u202fdemonstrated\u202fa continued ability to evolve. The strategic focus on\u202ftargeting the supply chains, weather services, and humanitarian corridors supporting Ukraine\u202frepresents a shift toward operational disruption that may presage more destructive activities.\u202f<\/p>\n<p>The technical links between the PRISMEX components and previous campaigns demonstrate\u202fthe\u202fthreat\u202factor&#8217;s continuous development cycle and modular approach to capability building. Organizations in the targeted geographic and industry sectors should consider themselves at elevated risk and implement the countermeasures detailed above\u202fimmediately.\u202f<\/p>\n<p>The use of newly disclosed vulnerabilities and legitimate cloud services makes detection challenging. Defenders must adopt an &#8220;assume\u202fbreach&#8221; mentality and focus on behavioral anomalies rather than just static indicators.\u202f<\/p>\n<p><b>Immediate mitigations\u202f<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Patching:\u202f<span>Prioritize the remediation of\u202fboth\u202fCVE-2026-21509\u202fand CVE-2026-21513\u202facross the entire fleet\u202fimmediately.\u202fEnsure Microsoft Office and Windows are updated to the latest builds.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Network blocking: <span>Review and restrict access to non-business-essential cloud storage services at the perimeter\u202ffirewall\u202fand web proxy. Organizations should\u202fmaintain\u202fan allowlist of approved cloud storage platforms and block unauthorized file-sharing services that lack verified business justification.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Attack surface reduction: <span>Disable the <i>Shell.Explorer.1 <\/i>COM object via registry keys if patching is not\u202fimmediately\u202ffeasible.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Macro restrictions: <span>Enforce policies blocking macro execution for Office files from the Internet (Mark of the Web).\u202f<\/span><\/span><\/li>\n<\/ul>\n<p><b>Detection and hunting\u202f<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Registry: <span>Audit <i>HKCU\\Software\\Classes\\CLSID<\/i> for user-registered COM objects pointing to <i>%PROGRAMDATA%<\/i> or <i>%TEMP%<\/i>.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">CLR monitoring: <span>Monitor for unusual CLR initialization patterns in non-.NET native processes, particularly <i>explorer.exe<\/i> loading <i>clr.dll<\/i> or mscorlib.dll unexpectedly.\u202f<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">ETW logging: <span>Enable\u202fMicrosoft-Windows-DotNETRuntime\u202fETW provider to detect assembly loads from byte arrays rather than file paths.\u202f<\/span><\/span><\/li>\n<\/ul>\n<p><b>Email security\u202f<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Implement strict attachment filtering for RTF documents.\u202f<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Enable enhanced logging for Outlook VBA macro execution.\u202f<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Monitor for unusual patterns in email deletion (rapid move to Deleted Items followed by permanent deletion).\u202f<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Audit Outlook VBA projects for unauthorized modifications.\u202f<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Proactive security with TrendAI Vision One\u2122<\/span><\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\">TrendAI Vision One\u2122<\/a> is the industry-leading AI cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection.TrendAI Vision One\u2122 Threat Intelligence Hub<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\">TrendAI Vision One\u2122 Threat Intelligence Hub<\/a> provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI\u2122 Research, and TrendAI Vision One\u2122 Threat Intelligence Feed in the TrendAI Vision One\u2122 platform.<\/p>\n<p><span class=\"rte-red-bullet\"><b>TrendAI Vision One\u2122 Intelligence Reports (IOC Sweeping)\u202f<\/b><\/span><\/p>\n<p><span class=\"rte-red-bullet\"><span>Intelligence Reports for Pawn Storm can be accessed <a href=\"https:\/\/portal.xdr.trendmicro.com\/index.html#\/app\/ti\/intelligence?intrusionSet=Pawn%20Storm\">here<\/a>.<\/span><\/span><\/p>\n<p><b>Hunting Queries\u202f<\/b><\/p>\n<p><b><i>TrendAI Vision One\u2122 Search App\u202f<\/i><\/b><\/p>\n<p>Hunting queries are available for TrendAI Vision One\u2122 with\u202fThreat Intelligence Hub entitlement enabled.\u202f<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IoCs)<\/span><\/p>\n<p>The IoC list can be found in this <a href=\"https:\/\/documents.trendmicro.com\/assets\/txt\/Pawn%20Storm%20Deploys%20PRISMA%20IOCs-xQ48S7H.txt\">link<\/a>.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/pawn-storm-targets-govt-infra.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog discusses the steganography, cloud abuse, and email-based backdoors\u202fused against the\u202fUkrainian\u202fdefense supply chain\u202fin the latest Pawn Storm campaign that TrendAI\u2122 Research observed and analyzed. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9511,9534,9509],"class_list":["post-60376","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-latest-news","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-26T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities\",\"datePublished\":\"2026-03-26T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/\"},\"wordCount\":1245,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Latest News\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/\",\"name\":\"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80\",\"datePublished\":\"2026-03-26T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#primaryimage\",\"url\":\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80\",\"contentUrl\":\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/","og_locale":"en_US","og_type":"article","og_title":"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-26T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities","datePublished":"2026-03-26T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/"},"wordCount":1245,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Latest News","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/","url":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/","name":"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80","datePublished":"2026-03-26T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/pawn-storm-malware:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60376"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60376\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}