APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel, enabling long-term surveillance since April 2024.
The Russia-linked group APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has used BEARDSHELL and COVENANT malware to conduct long-term surveillance of Ukrainian military personnel. According to ESET, the campaign began in April 2024 and relies on custom implants designed to maintain persistent access and collect sensitive information from targeted systems.
“Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience.” reads the report published by ESET. “This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group’s 2010‑era implants.”
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
EXPLORE MORE
CVE-2026-3888: Ubuntu Desktop 24.04+ vulnerable to Root exploit
Ubuntu flaw CVE-2026-3888 lets attackers gain root via a systemd timing exploit,…
Researchers warn of unpatched, critical Telnetd flaw affecting all versions
CVE-2026-32746 is a critical flaw in GNU InetUtils telnetd that allows remote…
Missing Juvenile Faith Blackstone from the 18th District
The Philadelphia Police Department is seeking the public’s assistance in locating a…
US blockade of Cuba killing children – UN commissioner — RT World News
The sanctions imposed on the island nation by Washington are incompatible with…
Missing Juvenile Jovan James Krause-Depa from the 24th District
The Philadelphia Police Department is requesting the public’s help in locating 12-year-old…
Gunman opened fire near White House, killed by Secret Service
WASHINGTON, D.C. (LifeSiteNews) — The White House was placed under lockdown on…
BEARDSHELL and SLIMAGENT are two advanced malware tools written in C++. BEARDSHELL downloads, decrypts (using ChaCha20-Poly1305), and runs PowerShell scripts, sending results via the Icedrive API. It creates a unique folder on each infected machine based on system identifiers. SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames. Both tools are stealthy, use strong encryption, and exploit legitimate cloud services to avoid detection, highlighting modern APT tactics.
“SlimAgent includes several features that were absent from the 2018 samples, such as encryption of the collected logs. Nevertheless, it is remarkable that samples deployed six years apart exhibit such strong code similarities.” continues the report. “We therefore assess with high confidence that both the 2018 samples and the 2024 SlimAgent sample were built from the same codebase.”
In May 2025, ESET researchers reported unauthorized access to an email account in the Ukrainian government’s gov.ua domain. CERT-UA, in collaboration with the Cybersecurity Center of Military Unit A0334, responded to the incident.
Analysis shows that SLIMAGENT likely evolved from the XAgent keylogger long used by APT28. Researchers found strong code similarities, including identical keylogging logic and HTML-based logging with the same color scheme for captured data. Evidence suggests SLIMAGENT has been deployed as a standalone espionage tool since at least 2018. Despite XAgent’s well-known codebase, the group continues reusing and adapting it, alongside newer malware like BEARDSHELL, in recent espionage campaigns.
During forensic analysis, the researchers discovered malware linked to the COVENANT framework and the BEARDSHELL backdoor. The experts were not able to determine the initial infection vector.
ESET noted that BEARDSHELL uses a rare obfuscation method called opaque predicate, previously seen in XTunnel, a tool used by APT28 during the Democratic National Committee hack. This link strongly suggests BEARDSHELL belongs to the group’s toolkit. Another tool, COVENANT, has been heavily modified to support long-term espionage and uses cloud services like Filen for command-and-control communications.
The cybersecurity firm reports that developers behind APT28 have developed strong expertise in the Covenant framework, despite its official development ending in 2021. The group has successfully adapted and reused the tool for several years, particularly in espionage operations targeting Ukrainian organizations.
“we have shown that Sednit’s advanced development team is active once again, operating an arsenal centered on two implants – BeardShell and Covenant – deployed in tandem and each leveraging a different cloud provider.” concludes the report. “The sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s developers remain fully capable of producing advanced custom implants. Furthermore, the shared code and techniques linking these tools to their 2010-era predecessors strongly suggest continuity within the development team.”
Recently, ClearSky researchers reported a phishing campaign linked to Russia that targets Ukrainian organizations using two new malware families, BadPaw and MeowMeow. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.
