The Russian hacking group APT28, also known by various aliases such as Fancy Bear and Sednit, has been actively employing malware named BEARDSHELL and COVENANT to conduct espionage on Ukrainian military forces. This cyber campaign, ongoing since April 2024, was detailed in a recent report by ESET, a Slovakian cybersecurity firm.
Background on APT28’s Espionage Tactics
APT28, a group affiliated with the Russian military intelligence agency GRU, has a history of deploying sophisticated cyber tools. Among their arsenal, BEARDSHELL and COVENANT stand out for their ability to enable long-term surveillance. These malware programs are complemented by SLIMAGENT, a tool capable of keylogging, screenshot capturing, and clipboard data collection, first documented by CERT-UA in mid-2025.
SLIMAGENT shares its lineage with XAgent, a tool used by APT28 in previous espionage efforts. Analysis by ESET highlights code similarities, particularly in keylogging behavior, with samples of XAgent from as far back as 2014. This suggests a continued evolution of APT28’s tools to maintain their operational capabilities.
Technical Insights into BEARDSHELL and SLIMAGENT
BEARDSHELL is designed to execute PowerShell commands on compromised systems, leveraging the Icedrive cloud service for command-and-control operations. A distinguishing feature of this tool is its use of an obfuscation technique known as opaque predicate, which it shares with XTunnel, a tool used in notable past cyber-attacks.
The connection between SLIMAGENT and XAgent is further evidenced by their shared use of HTML for logging espionage activities, with color-coded logs for easy identification of data points. These techniques signal a strategic approach by APT28 to obfuscate their activities while ensuring effective data exfiltration.
COVENANT’s Role and Strategic Adaptations
COVENANT, a modified .NET post-exploitation framework, has been adapted to use the Filen cloud storage service for command-and-control since July 2025. This adaptation reflects APT28’s ongoing commitment to enhancing their cyber capabilities, particularly against Ukrainian targets.
ESET’s report highlights how APT28’s expertise in modifying open-source tools like COVENANT allows them to bypass traditional defenses, maintaining an edge in cyber espionage. The group’s history of using dual implants, as seen in previous operations, underscores their tactical flexibility and persistence.
These developments signify a continued threat to Ukraine and potentially other nations, as APT28’s tools and techniques evolve. Understanding and countering such sophisticated cyber threats remain critical for national security and global cyber defense strategies.
