Pawn Storm Deploys PRISMA: A Multi-Stage Espionage Campaign Targeting Ukraine and NATO Allies Type  IoC  file_hash_sha256  5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705  file_hash_sha256  cbea5c7d71a5a6cb9153b00d2d27e6a3579004c27f5e817f317eeebdce7f805f  file_hash_sha256  c87be2f30cc974d0859526b9dd104e015f0e5d04bc43198305537f276705691e  file_hash_sha256  57357655a62e3a8b1f4b78e1d3ed7e0f6d59a9bac213087294f91bb7847b2a8f  file_hash_sha256  92a56faf6eccfad8281213393fad584cbd7b9e04db875dfb8fc01e1dbf4cbdd1  file_hash_sha256  de2b24d08e795ad9cdd1b74882a3626febefadafaf8ff0ae76cba16dcaa0f8bc  file_hash_sha256  71ef7438d785f3102735ed9d9233ac366507c82fc4fac4de88f687a105c84df6  file_hash_sha256  dbf33417e40f0fe8078a11d81f7d323bfed1912f5cb62d765c1be72561474659  file_hash_sha256  ffca9d56feb5ec8844b42f513cecd67a554a2ddb3408dbc6942e2fd60453aee1  file_hash_sha256  4f6aa45f2ead7ddb6a81f4a2b9745f8ec117d96971d4d80bb06f3ec3db5951da  file_hash_sha256  a848d48c79b77753a876d876baa3e802a5a37be37e7a772ddbd9a266cd1796ac  file_hash_sha256  36f5e04213d446c4208864f32a6af18d5184bbbb628808ef0a876ea6c31ea0b3  file_hash_sha256  e3f9519a21a16ff2c8f989034e47fbc91a2d019e09a1d7d17ff751e52a09d15b  file_hash_sha256  8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901  file_hash_sha256  bb309ed228f97f3cf864ea89fa502f43214af4fb4b98d78837e42c4a4940b5f9  file_hash_sha256  970e68e8b68e0c5f3f18cd55e0c82304e81547f8ebf349390db1c8a0681699fa  file_hash_sha256  92697d518e72a30800e96b63cf875573bd536c9b993d22014238f6a9f0e19e0f  file_hash_sha256  144bddb48890fa680dfd226e36c0ef2c6d6f98a365aea48399edd0d0388711a1  file_hash_sha256  9aa8b46d62eb426842b8ff0fc28e64719494f0f64d516253caa71a6fd86e9ad3  file_hash_sha256  0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e  file_hash_sha256  2822c72a59b58c00fc088aa551cdeeb92ca10fd23e23745610ff207f53118db9  file_hash_sha256  3f446d316efe2514efd70c975d0c87e12357db9fca54a25834d60b28192c6a69  file_hash_sha256  40c2e559992a7f595c593b419930a3f216516c3042ad86fb985348d53b6e01b9  file_hash_sha256  52b6fb40e7efb09c2bebe8550178e7e30009600bdedd1acae085d753761b7598  file_hash_sha256  5c2a2c49e200a2d048f477440da75ff4a99c676943f6f7cac1ce70190520f998  file_hash_sha256  7ccf7e8050c66eed69f35159042d8043032f8afe48ae1f51fce75ce2c51395f2  file_hash_sha256  8b0ab7f7f48bf847c3af570da7dd3e26eda9e4c4ab38e5f97a7cd09b8ace943a9  file_hash_sha256  8c1dc9732884c6078b23953b78314a8d0d8b8d9fe42e5f97a7cd09b8ace943a9  file_hash_sha256  968756e62052f9af80934b599994addbab29f8dc2615c47cda512bae48771019  file_hash_sha256  9f4672c1374034ac4556264f0d4bf96ee242c0b5a9edaa4715b5e61fe8d55cc8  file_hash_sha256  a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1  file_hash_sha256  b7342b03d7642c894ebad639b9b53fd851d7958298f454283c18748051946585  file_hash_sha256  baad1153e58c86aa1dc9346cdd06be53b5dd2a6cf76202536d6721c934008f8e  file_hash_sha256  c4389cc34b672c4f885547f413bf38575e6ee2b23a0ddfdd306a69c1775db6fc  file_hash_sha256  d213b5079462e737eb940ac46c59e386eb6ca7f8decc95a594b3d8f3b6940010  file_hash_sha256  e792adf4dff54faca5b9f5b32c1a2df3a6a955e722f1be8df2451c03ed940e41  file_hash_sha256  ff310202cbff28b47f03b4b0129a5b925a4b7b065af002072a3796920720c34e  file_hash_sha256  aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa  file_hash_sha256  a1b86c8957f460b78d906e1bdede829c4f3b5500d6449e8eba3ae5c302be2b86   file_hash_sha256  64f2d135603220b47dd430be5e059dcedd80ad2bc3c17500816ec5d07e39d3d1   file_hash_sha256  8d09eb897f2bc98035ef88152e2b5d571a7b61878dd12b451e0437089487a417   file_hash_sha256  0148c79cdfb21d87731f8e45d38c27242863ec4ea9621c59e537f59ed501c119  file_hash_sha256  0366b9bc02b00fda8ea28929b7159a038a43da0aa0299b8279bffc2d7e73892a  file_hash_sha256  0ab301b3e43ac2394ec25c5d1caf79aa0785a2eaca801b0b1b6d4621f5e8c736  file_hash_sha256  948f109756cba0b01f11fd3db9c47a76125c4b1d9467ff1bd9c5013d214c933f  file_hash_sha256  0db5bd9cb832618c60e0f3c0dfad719403473b85a82253dc0f6a8391800c0d0b  file_hash_sha256  ce2c475461d57f222a6aa22f49420f804a43c2eb29abf8553457a7d30f7cb024  file_hash_sha256  a95ee15e8ccf84521df2c80b1525fd89e205fc0280c3f6cbc24751080ea29206  file_hash_sha256  003cd35535ab9350a407a7dcd016c305fb8dbac03d41d5b7d3917c804b66dd2a  file_hash_sha256  ba01a2355414dfedda9ac5ce0d7a2d8edfb89ec3ae3e68fc81db035caa741854  file_hash_sha256  ea4679d1c05bef0c38b4d910a87f79070ca2e661779a255f523d57ef1921a1c7  file_hash_sha256  1565934e529b5a9b6af7e60800a91f7ac3a6ec2e24b4f6df0f808d253b45cf42  file_hash_sha256  3b411e9f282ba97feb56cb5a8bf3e9a1d1e9a5f8406e72213dfb140166a54012  file_hash_sha256  eb187ff574ab25dffa12dd05ff5f9716f4fc489e2de457c4a50aa0d3cb0f1479  file_hash_sha256  9dad95985eea3b299c387e663a6edfbbf057cc634f2ca99c410238480bcd4e17  file_hash_sha256  eec4122a1262579806888d8a6a215b333d5e4eec600b5caba91e187b7b468e22  file_hash_sha256  8858ee314c4db60a3f097ede38cbe64ce4e4b1e67041bad1e0580953011dfec1  file_hash_sha256  15b99e8b30ce0b57fe030243aa795b74b0d7dcd773f28f677f629f132bce1ff8  file_hash_sha256  8438a4cd675c81cefd6a8d96b9e48b2730cc9086b4c531883f966a8818cccbef  file_hash_sha256  1d27a5ca6703f6e757d30adc8d4d703c2e99316d1eaaaf5c68635c47e8e0396e  file_hash_sha256  d6b75d496e28692dd02c6336ac5c5a42ac88da7ad315d3e508963cf8d46926b3  file_hash_sha256  84464879c2ced71ff6a30277252af70a20e18c563b8e45f4a92e004f41fe3e01  file_hash_sha256  be859b4f4576ec09b69a2ef2d119939f7eb31de121aa01d38e1f0b2290f5a15e  file_hash_sha256  969d2776df0674a1cca0f74c2fccbc43802b4f2b62ecccecc26ed538e9565eae  file_hash_sha256  f7bda19543074c788c321aed42d955b4d50b7b0a2c3ca83b7f45b5e8b9a10491  file_hash_sha256  18f9c08e60bb88891f5bb5dd133ae804703c0797bebdde397c01513a67b86a1e  file_hash_sha256  5f397327aeb20718e364bef61e8bad507772708a7d1bf55d8b845170c69f3de0  file_hash_sha256  3cb09154a839a5de6e8ef4a04a933b7362afb56cdc4e91368b237e9bcb1cd7b9  file_hash_sha256  1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50  file_hash_sha256  d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34  file_hash_sha256  5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02  file_hash_sha256  b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546  file_hash_sha256  c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f  file_hash_sha256  fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b  file_hash_sha256  e8889528e2114a700438f73da09449cfdde655a29da6794d0449b5e8aa4dbf2a  file_hash_sha256  f0d443055143cbd6bce8ef96b52d430e2db321b37b8b93a2a9d0354651702790  file_hash_sha256  14acfaca5fc59d5ee9592399e51636ec47fbea36623555635a1361fcd2f50dfa  file_hash_sha256  bbfd93dbf43236b7f64017ad20f72dd611de1acb4b15e02569e42887467b34d4  email_address  dubravka[.]jovanovic2024[@]proton[.]me  email_address  a[.]matti444[@]proton[.]me  email_address  TeoAbarquero[@]tutamail[.]com  email_address  UffeTroelsen[@]atomicmail[.]io  network_domain  dbca10b5-63e0-42ec-ad10-de13be96dc42[.]dnshook[.]site  network_domain  %username%dbca10b5-63e0-42ec-ad10-de13be96dc42[.]dnshook[.]site  network_domain  %username%[.]910cf351-a05d-4f67-ab8e-6f62cfa8e26d[.]dnshook[.]site  network_domain  filen[.]io  network_domain  freefoodaid[.]com  network_domain  longsauce[.]com  network_domain  wellnesscaremed[.]com  network_domain  wellnessmedcare[.]org  network_url  hxxp://webhook[.]site/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME  network_url  hxxps://3008[.]filemail[.]com/api/file/get?filekey=6ir3NT7t9kNXSp3-IGKKYKDgHqEgyNauI3V4UhsSHWFdjK8qOr8rzQJ63avm4g  network_url  hxxps://gateway[.]filen[.]io  network_url  hxxps://gateway[.]filen[.]net  network_url  hxxps://gateway[.]filen-1[.]net  network_url  hxxps://gateway[.]filen-2[.]net  network_url  hxxps://gateway[.]filen-3[.]net  network_url  hxxps://gateway[.]filen-4[.]net  network_url  hxxps://gateway[.]filen-5[.]net  network_url  hxxps://gateway[.]filen-6[.]net  network_url  hxxps://egest[.]filen[.]io  network_url  hxxps://egest[.]filen[.]net  network_url  hxxps://egest[.]filen-1[.]net  network_url  hxxps://egest[.]filen-2[.]net  network_url  hxxps://egest[.]filen-3[.]net  network_url  hxxps://egest[.]filen-4[.]net  network_url  hxxps://egest[.]filen-5[.]net  network_url  hxxps://egest[.]filen-6[.]net  network_url  hxxps://ingest[.]filen[.]io  network_url  hxxps://ingest[.]filen[.]net  network_url  hxxps://ingest[.]filen-1[.]net  network_url  hxxps://ingest[.]filen-2[.]net  network_url  hxxps://ingest[.]filen-3[.]net  network_url  hxxps://ingest[.]filen-4[.]net  network_url  hxxps://ingest[.]filen-5[.]net  network_url  hxxps://ingest[.]filen-6[.]net network_url  \\longsauce[.]com@SSL\DAv/DEFault/data[.]LnK?init=1  network_url  \\longsauce[.]com@SSL\davwwwroot\DAv/DEFault/data[.]LnK?init=1  network_url  file://wellnessmedcare[.]org@ssl/cz/Downloads/document[.]LnK?init=1  network_url  file://wellnessmedcare[.]org/davwwwroot/cz/Downloads/document[.]LnK?init=1  network_url  \\freefoodaid[.]com@SSL\tables\tables[.]lNk?init=1  network_url  \\freefoodaid[.]com@SSL\davwwwroot\tables\tables[.]lNk?init=1  network_url  file://wellnesscaremed[.]com@ssl/buch/Downloads/document[.]doc[.]LnK?init=1  network_url  file://wellnesscaremed[.]com/buch/Downloads/document[.]doc[.]LnK?init=1  network_url  file://freefoodaid[.]com@80/documents/2_2[.]lNk?init=1  network_url  file://freefoodaid[.]com/davwwwroot/documents/2_2[.]lNk?init=1  network_url  file://wellnesscaremed[.]com@ssl/venezia/Favorites/document[.]doc[.]LnK?init=1  network_url  file://wellnesscaremed[.]com/venezia/Favorites/document[.]doc[.]LnK?init=1  network_url  file://wellnessmedcare[.]org@ssl/pol/Downloads/document[.]LnK?init=1  network_url  file://wellnessmedcare[.]org/davwwwroot/pol/Downloads/document[.]LnK?init=1  file_path  %appdata%\Microsoft\Office\databackup.ini  file_path  %appdata%\Microsoft\Outlook\VbaProject.OTM  file_path  %appdata%\Microsoft\Office\VbaProject.OTM  file_path  C:\ProgramData\izjava o opterecenju zarade preko pola ovjerena - ivan simovic.pdf  file_path  %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\EHygbjYHlw.vbs  file_path  %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\FYfnahVXea.vbs  file_path  %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs  file_path   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2.vbs  file_path   C:\ProgramData\UGOVORCI FEBRUAR.docx  file_path  %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\outlook.vbs  file_path  C:\ProgramData\testtemp.ini  file_path  %Temp%\Test  file_path  %temp%\DEFAULT-786XQ7W-20251022-2145.log  file_path  %temp%\DEFAULT-3Q7J61W-20251101-1045.log  file_path  %programdata%\USOShared\Logs\User\adwapi64.dll  file_path  %programdata%\Microsoft\DeviceSync\8acd6e71-bf10-4800-aeee-7de00edc9781\background.png  file_path  %PROGRAMDATA%\USOPublic\Data\User\EhStoreShell.dll  file_path  %PROGRAMDATA%\Microsoft OneDrive\setup\Cache\SplashScreen.png  file_path  %TEMP%\Diagnostics\office.xml  email_subject  Daily Report  email_subject  Elektronska posta - dostavljeno  email_subject  Elektronska posta je zasticena sistemom zastite  email_subject  Dostavljam za informaciju za taj dan  filename  EhStoreShell.dll  filename  SplashScreen.png  filename  SimpleDropper.dll  filename  office.xml  credential  qD09O0FbOYV50vbMSw5f9ozw918zJbPEYKmkIm0tjfovt65LIKldRd40nOZzVHJe  credential  8STfB4SpG_HhB5AvZizXtoxgTW_Q3moGw3nNGfaNYbBfeMsyv4KubyV7T2Xkxix1  host_mutex_name   Environment_US7DYUH63  host_mutex_name   dsxntesbteyhsf2v  host_mutex_name  c932f8hg88df2o  host_mutex_name  ukqh3vuivaoh2vy3v  network_ipv4_addr  193[.]187[.]148[.]169  network_ipv4_addr  23[.]227[.]202[.]14  network_ipv4_addr  72[.]62[.]185[.]31  vulnerability_cve_id  CVE-2026-21509  vulnerability_cve_id  CVE-2026-21513  host_registry_key  HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}  host_scheduled_task_name  OneDriveHealth