.png){kind=logo}
APT28 Deploys BEARDSHELL and Customized COVENANT Malware for Targeted Cyber Espionage Against the Ukrainian Military
- 46 minutes ago
- 5 min read
Executive Summary
The Russian state-sponsored threat actor APT28 (also known as Fancy Bear, Sednit, Forest Blizzard, Unit 26165, and TA422) has intensified its cyber-espionage operations against the Ukrainian military by deploying two advanced malware strains: BEARDSHELL and a customized variant of COVENANT. These campaigns, active since at least April 2024, leverage cloud-based command-and-control (C2) infrastructure and sophisticated obfuscation techniques to maintain persistent, covert access to high-value Ukrainian targets. The infection vectors exploit both technical and human vulnerabilities, including spearphishing with weaponized Office documents and the abuse of legitimate cloud storage services for stealthy C2 communications. This report provides a comprehensive technical analysis of the malware, the tactics, techniques, and procedures (TTPs) employed by APT28, and actionable recommendations for mitigation.
Threat Actor Profile
APT28 is a highly sophisticated Russian cyber-espionage group linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Known for its long-term, intelligence-driven campaigns, APT28 has a history of targeting military, government, and diplomatic entities across Europe, Central Asia, and the United States. The group is characterized by its rapid adaptation to new security controls, use of custom malware, and exploitation of both zero-day and social engineering vectors. In the current campaign, APT28 demonstrates advanced operational security by leveraging cloud-based C2 channels, multi-stage loaders, and anti-analysis techniques, making detection and attribution challenging for defenders.
Technical Analysis of Malware/TTPs
BEARDSHELL
BEARDSHELL is a custom C++ backdoor DLL designed for persistent, covert access. It is typically delivered via weaponized Office documents containing malicious macros. The initial infection chain involves the dropping of a loader DLL (such as PlaySndSrv.dll) and a disguised payload (e.g., a .wav file), from which BEARDSHELL is decrypted and executed. The malware employs opaque predicate obfuscation, a rare technique previously observed in APT28’s XTunnel tool, to hinder static analysis and reverse engineering.
BEARDSHELL communicates with its operators via the legitimate cloud storage service Icedrive. Every four hours, it polls a unique directory on Icedrive—named using a fingerprint derived from the victim’s hardware and user information (FNV1a hash)—for operator-uploaded command files. It executes arbitrary PowerShell commands and uploads results as encrypted image files (using ChaCha20-Poly1305 encryption) disguised as common formats such as .bmp, .gif, .jpeg, .png, and .tiff. The malware also implements anti-analysis checks, terminating if it detects a single processor or less than 2GB of RAM.
COVENANT (Modified)
The second major implant is a heavily modified version of the open-source COVENANT .NET post-exploitation framework. APT28 has customized COVENANT to support file-based C2 over cloud storage providers, including Filen, pCloud, and Koofr. The malware uses a custom C2Bridge component to interact with these services via their APIs, enabling operators to issue commands, exfiltrate data, and move laterally within compromised environments. The stagers and payloads are delivered using steganography—malicious shellcode is embedded within PNG files and extracted at runtime.
SLIMAGENT
SLIMAGENT is a C++-based keylogger and data stealer, evolved from APT28’s earlier XAgent malware. It captures keystrokes, screenshots, and clipboard data, outputting logs in HTML format with color-coded fields for easy operator review. Exfiltrated data is encrypted and uploaded to attacker-controlled cloud storage. SLIMAGENT is typically deployed alongside BEARDSHELL on high-value hosts.
Tactics, Techniques, and Procedures (TTPs)
APT28’s infection chain begins with spearphishing emails containing weaponized Office documents. These documents are often delivered via Signal Desktop, which does not enforce the Mark-of-the-Web (MOTW) attribute, thereby bypassing Microsoft Office macro protections. Upon execution, malicious macros drop loader DLLs and PNG files containing embedded shellcode. Persistence is achieved through registry modifications (COM hijacking), scheduled tasks, and Run keys. The malware’s C2 traffic is obfuscated by leveraging legitimate cloud storage APIs, making detection via traditional network monitoring difficult. Data exfiltration is performed using encrypted, disguised files uploaded to cloud storage.
MITRE ATT&CK mapping for this campaign includes: Initial Access (T1566.001), Execution (T1059.001, T1059.005), Persistence (T1547.001, T1546.015), Defense Evasion (T1027, T1027.003), Command and Control (T1071.001, T1530), Collection (T1056.001, T1113), and Exfiltration (T1567.002).
Exploitation in the Wild
The campaign has primarily targeted Ukrainian military personnel, government agencies, and defense sector organizations. Infection vectors include spearphishing emails with malicious Office documents and multi-stage loaders delivered via Signal Desktop. The use of cloud-based C2 infrastructure has enabled APT28 to maintain persistent access to at least 42 unique compromised hosts, as identified through analysis of attacker-controlled Koofr accounts. The campaign has been active since at least April 2024, with public disclosure of SLIMAGENT occurring in June 2025. The attackers have demonstrated a high degree of operational security, frequently rotating C2 infrastructure and adapting their malware to evade detection.
Victimology and Targeting
APT28’s current campaign is highly targeted, focusing on Ukrainian military and government entities. Secondary targets have included European government agencies, Central Asian diplomatic channels, and Western Asian defense sectors. The infection chain is tailored to exploit the workflows and communication channels of military and government personnel, with a particular emphasis on bypassing security controls through the use of Signal Desktop and cloud storage services. The attackers have demonstrated an understanding of Ukrainian military command structures, targeting logistics, HR, and command personnel to maximize intelligence value.
Mitigation and Countermeasures
Organizations should implement the following countermeasures to defend against APT28’s tactics:
Monitor for anomalous traffic to cloud storage providers such as Icedrive, Filen, Koofr, and pCloud. Deploy Sigma and YARA rules specifically designed to detect BEARDSHELL and modified COVENANT artifacts, as published by Sekoia.io and SOC Prime. Investigate suspicious PowerShell activity, .NET binary execution, and the presence of unusual DLLs or PNG files in user directories. Regularly audit registry keys for unauthorized modifications, particularly those associated with COM hijacking and Run keys. Educate users about the risks of spearphishing, especially when receiving Office documents via non-traditional channels like Signal Desktop. Restrict or monitor the use of macros in Office documents and enforce MOTW where possible. Block or closely monitor access to known malicious hashes and cloud C2 domains listed in the Indicators of Compromise (IOCs) section. Implement endpoint detection and response (EDR) solutions capable of behavioral analysis to identify multi-stage loader activity and steganographic payload extraction.
References
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats. For more information or to discuss how Rescana can help your organization strengthen its cyber resilience, we are happy to answer questions at ops@rescana.com.