The Russian state-sponsored hacking group tracked as APT28 has been noticed utilizing a pair of implants dubbed BEARDSHELL and COVENANT to facilitate lengthy‑time period surveillance of Ukrainian army personnel.
The 2 malware households have been put to make use of since April 2024, ESET mentioned in a brand new report shared with The Hacker Information.
APT28, additionally tracked as Blue Athena, BlueDelta, Fancy Bear, Preventing Ursa, Forest Blizzard (previously Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is a nation-state actor affiliated with Unit 26165 of the Russian Federation’s army intelligence company GRU.
The risk actor’s malware arsenal consists of instruments like BEARDSHELL and COVENANT, together with one other program codenamed SLIMAGENT that is able to logging keystrokes, capturing screenshots, and accumulating clipboard knowledge. SLIMAGENT was first publicly documented by the Laptop Emergency Response Group of Ukraine (CERT-UA) in June 2025.
SLIMAGENT, per the Slovakian cybersecurity firm, has its roots in XAgent, one other implant utilized by APT28 within the 2010s to facilitate distant management and knowledge exfiltration. That is primarily based on code similarities found between SLIMAGENT and beforehand unknown samples deployed in assaults concentrating on governmental entities in two European international locations way back to 2018.
It is assessed that the 2018 artifacts and the 2024 SLIMAGENT pattern originated from XAgent, with ESET’s evaluation uncovering overlaps within the keylogging between SLIMAGENT and an XAgent pattern detected within the wild in late 2014.
“SLIMAGENT emits its espionage logs within the HTML format, with the applying identify, the logged keystrokes, and the window identify in blue, pink, and inexperienced, respectively,” ESET mentioned. “The XAgent keylogger additionally produces HTML logs utilizing the identical colour scheme.”
Additionally deployed in reference to SLIMAGENT is one other backdoor known as BEARDSHELL that is able to executing PowerShell instructions on compromised hosts. It makes use of the respectable cloud storage service Icedrive for command-and-control (C2).
A noteworthy facet of the malware is that it makes use of a particular obfuscation approach known as opaque predicate, which can also be present in XTunnel (aka X-Tunnel), a community traversal and pivoting instrument utilized by APT28 within the 2016 Democratic Nationwide Committee (DNC) hack. The instrument supplies a safe tunnel to an exterior C2 server.
“The shared use of this uncommon obfuscation approach, mixed with its colocation with SLIMAGENT, leads us to evaluate with excessive confidence that BEARDSHELL is a part of Sednit’s customized arsenal,” ESET added.
A 3rd main piece of the risk actor’s toolkit is COVENANT, an open-source .NET post-exploitation framework that has been “closely” modified to help long-term espionage and to implement a brand new cloud-based community protocol that abuses the Filen cloud storage service for C2 since July 2025. Beforehand, APT28’s COVENANT variant was mentioned to have used pCloud (in 2023) and Koofr (in 2024-2025).
“These diversifications present that Sednit builders acquired deep experience in Covenant – an implant whose official growth ceased in April 2021 and will have been thought of unused by defenders,” ESET mentioned. “This stunning operational alternative seems to have paid off: Sednit has efficiently relied on Covenant for a number of years, notably in opposition to chosen targets in Ukraine.”
This isn’t the primary time the adversarial collective has embraced the dual-implant technique. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in assaults concentrating on high-ranking authorities officers overseeing nationwide safety coverage and people within the protection sector in Western Asia.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s traits right now: learn extra, subscribe to our e-newsletter, and turn out to be a part of the NextTech group at NextTech-news.com
