In January 2026, Trend Micro researchers tracking Russia-linked APT28 — also known as Pawn Storm, Fancy Bear, and STRONTIUM — confirmed a new campaign deploying PRISMEX, a modular malware suite, against government ministries, defence contractors, and rail logistics operators across six EU member states. The campaign exploited CVE-2026-21513, a Windows LNK parsing zero-day, for eleven days before Microsoft published an emergency patch on 10 February 2026. That eleven-day window is not an anomaly — it is a deliberate operational tempo, one that Swiss organisations adjacent to EU defence supply chains can no longer treat as a distant concern.
The Eleven-Day Window: How CVE-2026-21513 Was Weaponised
A malicious LNK exploit sample attributed to APT28 appeared on VirusTotal on 30 January 2026. Microsoft's patch arrived eleven days later. During that window, PRISMEX-laced spear-phishing emails circulated through defence ministry distribution lists, logistics coordination platforms, and government contractor mailboxes in Poland, Romania, Slovenia, Turkey, Slovakia, and the Czech Republic.
CVE-2026-21513 abuses the way Windows Shell parses LNK files: in specific Explorer configurations — including thumbnail preview panes — the exploit can trigger payload execution without a user double-click. This zero-interaction path significantly lowered the bar for mass exploitation within targeted organisations. APT28 has a documented history of stockpiling Windows LNK zero-days; CVE-2017-8464 was weaponised by the same group nearly a decade ago and the tactical playbook has not fundamentally changed.
What has changed is the payload. PRISMEX is not a single implant. It is a suite of interconnected components designed to evade detection at every layer of the kill chain.
PRISMEX: Architecture of a Modular Threat
Trend Micro's analysis identifies three primary PRISMEX components that operate in sequence. The initial loader retrieves an encrypted payload embedded in PNG or JPEG images hosted on legitimate content delivery networks — a steganography technique that renders the malicious traffic indistinguishable from routine web browsing at the network layer. Standard proxy and DLP controls inspecting URLs or file types will not catch it.
Persistence is established through COM object hijacking in the HKCU registry hive. Because HKCU writes require no elevated privileges and many EDR policies focus on HKLM modifications, PRISMEX achieves boot-persistent access without triggering UAC prompts or high-severity alerts. In testing environments, standard Defender for Endpoint configurations did not alert on PRISMEX's persistence mechanism prior to the February 10 signature update.
Command and control is routed through Microsoft OneDrive and Google Drive APIs. Operators issue commands by writing files to cloud storage; the implant polls for updates and exfiltrates data through the same channel. From a network monitoring perspective, this traffic is functionally identical to a user syncing documents — legitimate TLS to Microsoft or Google infrastructure with no anomalous domain, no unusual port, no self-signed certificate.
In at least one confirmed October 2025 intrusion, the COVENANT Grunt payload delivered via PRISMEX was found to carry a destructive wiper function targeting everything under %USERPROFILE%. The dual espionage-and-sabotage capability distinguishes this campaign from pure intelligence-gathering operations and raises the incident severity classification for affected organisations significantly.
Geographic Targeting and the Swiss Exposure Surface
Switzerland is not named as a direct target in Trend Micro's or SecurityAffairs' reporting. It does not need to be. The targeting logic of PRISMEX — defence supply chain, logistics coordination, dual-use technology — maps precisely onto Swiss industry's EU relationships.
Swiss precision manufacturers supply components to defence contractors in Poland, the Czech Republic, and Romania. Swiss financial institutions process payments for procurement programmes that flow through the targeted countries. Swiss logistics firms clearing customs for dual-use goods interact operationally with the rail and maritime operators explicitly named in PRISMEX campaign reporting. The attack surface is not Switzerland's government networks — it is the business-to-business interfaces that connect Swiss enterprises to the EU defence ecosystem.
As of publication, Switzerland's BACS (Bundesamt für Cybersicherheit, formerly NCSC) has not issued a specific advisory for PRISMEX. Organisations should not interpret this absence as an all-clear signal; BACS advisories typically follow confirmed domestic incidents, not campaign exposure assessments.
Detection Gaps and Why Standard EDR Misses PRISMEX
Four detection failures account for most of PRISMEX's operational effectiveness. Cloud C2 traffic to OneDrive and Google Drive is structurally indistinguishable from legitimate SaaS usage without behavioural baselines correlating cloud API calls to process lineage. COM hijacks in HKCU fall below the alert threshold of many EDR policies tuned to catch elevated-privilege persistence. Steganographic payload retrieval shows up in proxy logs as image downloads from CDNs — the correct file type, the correct MIME type, the wrong content. And the eleven-day patch gap means that signature-based detection was simply unavailable during the most active exploitation period.
The implication is that detection for PRISMEX requires behavioural investment: process-to-cloud API correlation, HKCU COM enumeration baselines, and outbound traffic anomaly detection that does not rely on domain reputation.
◆ Key Takeaway
PRISMEX's use of legitimate cloud infrastructure for C2 and user-space persistence means perimeter-focused detection fails by design. Swiss organisations with supply-chain links to EU defence contractors must instrument cloud egress traffic at the behavioural level — not the signature level — and treat the eleven-day patch-gap model as the new normal for state-sponsored zero-day exploitation.
- Apply the Microsoft patch for CVE-2026-21513 immediately if not already deployed; verify patch compliance across all Windows endpoints including OT jump servers and remote access workstations.
- Audit HKCU COM object registrations across your endpoint fleet — anomalous CLSIDs pointing to DLLs in user-writable paths are a primary PRISMEX persistence indicator detectable with standard registry auditing tools.
- Implement behavioural baselines for OneDrive and Google Drive API traffic; alert on Drive API calls originating from non-browser processes or processes with no established cloud-access history.
- Classify your organisation's exposure to EU defence supply chains — direct supplier relationships, shared logistics platforms, payment processing for procurement programmes — and treat those interfaces as elevated-risk attack surface requiring enhanced monitoring.
- Simulate APT28-style lures in phishing awareness exercises: PRISMEX campaigns use logistics documents, procurement confirmations, and defence ministry correspondence as social engineering material — generic phishing tests will not build the relevant detection muscle.
- Subscribe to BACS threat feeds and cross-reference with ENISA's threat landscape reports; establish a process to act on campaign disclosures within 24 hours rather than waiting for domestic-incident confirmation.
PRISMEX is not a campaign that concludes when political pressure on Russia eases. APT28 has operated against Western infrastructure continuously since at least 2007, adapting its tooling after each public exposure. The modular architecture of PRISMEX — where individual components can be swapped out post-detection — means organisations that have deployed indicators of compromise from current reporting should expect variant activity within weeks. The deeper lesson is not about this specific malware family but about the systematic way Russian intelligence services have learned to weaponise the trust relationships built into everyday cloud infrastructure. Defending against that requires rethinking what "normal" cloud traffic looks like from the inside out.