From APT28 to RePythonNET Automating .NET Malware Analysis
From APT28 to RePythonNET: Automating .NET Malware Analysis
APT28 is a Russia-nexus intrusion set attributed by Western intelligence services to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center known as Military Unit 26165. This intrusion set, which started its operations in 2004 against occidental Military networks, is especially known for its hybrid operations on the sidelines of armed conflict and diplomatic crises related to Russia. Between 2021 and 2024, APT28 utilized an arsenal of modular and often disposable implants. Malwares like MASEPIE, STEELHOOK, and OCEANMAP are designed for specific, short-term tasks such as establishing basic persistence, executing reconnaissance commands, or stealing browser data like credentials and session cookies. In contrast, a more sophisticated infection chain, identified in late 2024 and throughout 2025 (notably in Operation Phantom Net Voxel), demonstrates a strategic move toward stealthier delivery and persistence. 🚀
This chain frequently begins with lure documents delivered via Signal Desktop to bypass Windows Mark-of-the-Web (MOTW) protections. The infection leverages VBA macros to perform a user-level COM hijack, ensuring persistence by loading a malicious DLL. This stage typically uses steganography to extract a shellcode from a valid PNG file, which then executes the GruntHTTPStager of the Covenant framework. In this refined model, APT28 uses Covenant primarily for initial reconnaissance and as a delivery vehicle for specialized modules. A critical component for maintaining access is BeardShell, a stealthy C++ malware acting as a fallback mechanism to re-infect the environment if the primary access is lost. Alongside it, the group deploys SlimAgent, a dedicated spyware module focused on keylogging and information theft. 🔍
In 2025, we published an analysis of a new APT28 infection chain, culminating in the deployment of Covenant, an open-source .NET command and control framework. At the time of analysis, the nature of the implant was not immediately obvious: the samples were obfuscated, with randomized symbol names and encrypted strings. Only through reversing did we identify the payload as a Covenant Grunt, the client-side implant responsible for establishing a C2 channel, executing commands and retrieving additional modules. APT28 extended the framework, implementing a custom C2Bridge leveraging the Koofr or Filen API, relying entirely on file uploads and downloads to that service for its communications. Manually reversing this sample is not particularly difficult, but it is tedious: All strings must be identified and decrypted. Functions must be renamed incrementally as their purpose becomes clear. 🔧
To address this, the RePythonNET project, an open-source tool, leverages pythonnet and dnlib to automate parts of the analysis. In the case of APT28’s Covenant sample, the immediate goal is to recover the C2 servers, which are stored as encrypted strings. The process breaks down into three steps: locating the decryption routine, extracting the key, and finally patching the binary with the decrypted strings. We can fingerprint the decryption function using intermediate language (IL). The idea is straightforward: when analyzing a new sample, we can iterate over all methods in the module and check whether their instruction stream contains a known sequence of opcodes characteristic of the decryption routine. 🔍