APT28 Conducts Long-Term Espionage on Ukrainian Forces Using Custom Malware
APT28 Conducts Long-Term Espionage on Ukrainian Forces Using Custom Malware
APT28 has utilized BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel, enabling long-term surveillance since April 2024. This Russia-linked group, also known as UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, has employed these tools to maintain persistent access and collect sensitive information from targeted systems.
According to ESET, the campaign began in April 2024 and relies on custom implants designed for resilience. The report states, “Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience.” This dual-implant approach has enabled long-term surveillance of Ukrainian military personnel.
BEARDSHELL and SLIMAGENT are two advanced malware tools written in C++. BEARDSHELL downloads, decrypts (using ChaCha20-Poly1305), and runs PowerShell scripts, sending results via the Icedrive API. It creates a unique folder on each infected machine based on system identifiers. ESET noted that BEARDSHELL uses a rare obfuscation method called opaque predicate, previously seen in XTunnel, a tool used by APT28 during the Democratic National Committee hack. This link strongly suggests BEARDSHELL belongs to the group’s toolkit. Additionally, COVENANT has been heavily modified to support long-term espionage and uses cloud services like Filen for command-and-control communications.
SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames. Both tools are stealthy, use strong encryption, and exploit legitimate cloud services to avoid detection, highlighting modern APT tactics. Analysis shows that SLIMAGENT likely evolved from the XAgent keylogger long used by APT28. The report continues, “SlimAgent includes several features that were absent from the 2018 samples, such as encryption of the collected logs. Nevertheless, it is remarkable that samples deployed six years apart exhibit such strong code similarities.” Researchers assess with high confidence that both the 2018 samples and the 2024 SlimAgent sample were built from the same codebase.
The report concludes, “The sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s developers remain fully capable of producing advanced custom implants. Furthermore, the shared code and techniques linking these tools to their 2010-era predecessors strongly suggest continuity within the development team.”