A Russian state-sponsored hacking group tracked as APT28 has been observed using a pair of implants called BEARDSHELL and COVENANT to facilitate long-term surveillance of Ukrainian military personnel.
In a new report shared with The Hacker News, ESET said the two malware families have been in use since April 2024.
APT28, also tracked as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly known as Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is a state actor affiliated with Unit 26165 of the Russian Federation’s military intelligence agency GRU.
The threat actor’s malware arsenal consists of tools such as BEARDSHELL and COVENANT, as well as another program codenamed SLIMAGENT that can log keystrokes, capture screenshots, and collect clipboard data. SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
According to the Slovak cybersecurity company, SLIMAGENT’s roots lie in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data leakage. This is based on code similarities discovered between SLIMAGENT and an unknown sample introduced in attacks targeting government agencies in two European countries in 2018.
The 2018 artifact and the 2024 SLIMAGENT sample are believed to originate from XAgent, and ESET’s analysis reveals keylogging overlap between SLIMAGENT and an XAgent sample that was actually detected in late 2014.
“SLIMAGENT outputs spy activity logs in HTML format, with application names, recorded keystrokes, and window names displayed in blue, red, and green, respectively,” ESET said. “The XAgent keylogger also generates HTML logs using the same color scheme.”
Associated with SLIMAGENT, another backdoor called BEARDSHELL has also been deployed that can execute PowerShell commands on compromised hosts. We use the official cloud storage service Icedrive for command and control (C2).
A notable aspect of this malware is that it utilizes a unique obfuscation technique called opaque predicates. This technology is also found in XTunnel (also known as X-Tunnel), a network traversal and pivot tool used by APT28 in the 2016 Democratic National Committee (DNC) hack. This tool provides a secure tunnel to an external C2 server.
“The shared use of this unusual obfuscation technique, combined with its co-location with SLIMAGENT, allows us to assess with high confidence that BEARDSHELL is part of Sednit’s custom arsenal,” ESET added.
The third major piece of a threat actor’s toolkit is COVENANT, an open source .NET post-exploitation framework. It has been “substantially” modified to support long-term espionage and implement a new cloud-based network protocol that exploits C2’s Filen cloud storage service starting in July 2025. Previously, the COVENANT variant of APT28 was said to be using pCloud (2023) and Koofr (2023). 2024-2025).
“These indications demonstrate that Sednit’s developers have gained deep expertise with Covenant, an implant that stopped formal development in April 2021 and was deemed unused by its advocates,” ESET said. “This surprising operational choice appears to have paid off. Sednit has successfully relied on the Covenant for several years, particularly against selected targets in Ukraine.”
This is not the first time a rival group has employed a dual-implant strategy. In 2021, Trellix revealed that APT28 deployed a Graphite backdoor using OneDrive for C2 and PowerShell Empire in attacks targeting government officials and defense sector individuals overseeing national security policy in West Asia.
Source link
