Late in the summertime of 2025, cybersecurity researchers uncovered a classy spearphishing marketing campaign focusing on Ukrainian navy personnel through the Sign messaging platform.
The operation, dubbed “Phantom Internet Voxel,” begins with a malicious Workplace doc despatched by non-public Sign chats, masquerading as pressing administrative types or compensation requests.
Preview of Sign dialog (Supply – Sekoia)
Upon opening, the doc’s embedded macros drop a stealthy DLL and a PNG file onto the sufferer’s machine, initiating a multi-stage an infection chain that finally installs each Covenant’s HTTP Grunt Stager and the customized C++ backdoor BeardShell.
Sekoia analysts recognized the lure paperwork’ unassuming look, formatted in genuine Ukrainian navy nomenclature, as a key factor of the marketing campaign’s success.
The preliminary Document_Open macro verifies Home windows variations after which leverages the CreateProcessW API to register a malicious COM server below CLSID {2227A280-3AEA-1069-A2DE-08002B30309D}, guaranteeing the DLL masses on every person logon.
An infection chain (Supply – Sekoia)
If the registry key doesn’t exist, the macro drops prnfldr.dll to the ProgramData listing and home windows.png to AppData, hiding each recordsdata earlier than invoking regsvr32.exe /n /i to execute the DLL’s set up routine.
As soon as loaded into explorer.exe, the second-stage DLL extracts a shellcode from the least vital bits of every PNG pixel.
The embedded shellcode initializes the .NET Widespread Language Runtime (CLR) and injects a Covenant HTTP Grunt module, which contacts the Koofr cloud API to create directories named “Retaining” and “Tansfering.” Hybrid encryption secures communications as file uploads and downloads present a covert command-and-control channel.
Sekoia researchers famous that every compromised host is represented by a novel GUID-derived folder, indicating probably dozens of contaminated methods.
In parallel, BeardShell—an unmanaged C++ backdoor—emerges as the following payload, utilizing the icedrive service for C2 communications. Its entry level, ServiceMain, performs anti-analysis checks after which generates a hardware-profile-based identifier for listing naming on the cloud storage.
As soon as lively, BeardShell instantiates PowerShell periods through embedded CLR initialization routines, executing JSON-formatted instructions comparable to:
// Create PowerShell occasion (cmd_id=1)
{“task_id”:0,”cmd_id”:1,”information”:{}}
// Execute SystemInfo (cmd_id=2)
{“task_id”:0,”cmd_id”:2,”information”:{“id”:0,”cmd”:”SystemInfo”}}
These instructions and their outcomes are encrypted with ChaCha20-Poly1305, masqueraded as benign picture recordsdata (e.g., .tiff headers), and uploaded again to the icedrive root listing. The alternating use of professional cloud companies Koofr and icedrive underscores the adversary’s emphasis on detection evasion and operational flexibility.
An infection Mechanism and Persistence
On the coronary heart of this assault is a two-pronged persistence method. The VBA macro’s registry modifications assure code execution at startup, whereas the second-stage DLL’s COM hijack ensures seamless proxying of professional printing capabilities, masking its presence.
By splitting payload supply between Workplace macros, COM hijacking, steganographic shellcode extraction, and legit cloud APIs, APT28 achieves a strong, multi-layered foothold.
Detection engineers are suggested to observe sudden COM registrations below high-privilege CLSIDs and examine anomalous PNG or TIFF recordsdata in AppData directories for hidden payloads.
With this marketing campaign’s reuse of open-source frameworks and novel steganography, defenders should adapt by correlating code-signing anomalies, registry tampering, and cloud API site visitors to intercept future invasions.
Free stay webinar on new malware ways from our analysts! Be taught superior detection strategies -> Register for Free
