Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

APT28 Conducts Long-term Espionage on Ukrainian Forces Using Custom Malware



APT28 has been conducting long-term espionage on Ukrainian forces using custom malware, highlighting the growing threat landscape in the cyber world. This latest revelation underscores the importance of staying informed about emerging risks and taking proactive steps to protect oneself against evolving cyber threats.

  • APT28 (UAC-0001, Fancy Bear) has been conducting long-term espionage on Ukrainian forces using custom-made malware.
  • The group's malware toolkit includes BeardShell and Covenant, which use different cloud providers for resilience.
  • APT28's ability to adapt and evolve its malware tools is evident in the reuse of the Covenant framework despite its official end in 2021.
  • Tools like BEARDSHELL and COVENANT are stealthy and used for command-and-control communications.
  • The group reuses and adapts existing malware tools, showing a lack of innovation despite changes over time.


    • In a recent development that has sent shockwaves throughout the cybersecurity community, it has been revealed that APT28, also known as UAC-0001, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, has been conducting long-term espionage on Ukrainian forces using custom-made malware. This latest revelation is a stark reminder of the ever-evolving nature of cyber threats and the importance of staying vigilant in the face of emerging risks.

    According to reports by cybersecurity firm ESET, APT28 has developed a sophisticated toolkit centered around two paired implants, BeardShell and Covenant, each leveraging a different cloud provider for resilience. This dual-implant approach has enabled long-term surveillance of Ukrainian military personnel, with the group's advanced development team demonstrating an impressive level of expertise in the Covenant framework.

    The use of custom malware by APT28 is a testament to the group's ability to adapt and evolve over time. Despite the official end of the Covenant framework's development in 2021, APT28 has successfully adapted and reused the tool for several years, particularly in espionage operations targeting Ukrainian organizations. This suggests that Sednit's developers remain fully capable of producing advanced custom implants.

    One of the key tools used by APT28 is BEARDSHELL, a malware designed to download, decrypt, and run PowerShell scripts, sending results via the Icedrive API. It creates a unique folder on each infected machine based on system identifiers, making it highly stealthy. Another tool, COVENANT, has been heavily modified to support long-term espionage and uses cloud services like Filen for command-and-control communications.

    The use of BEARDSHELL and COVENANT malware by APT28 is particularly noteworthy due to the strong code similarities between these tools and their predecessors. For example, SLIMAGENT, a keylogger developed by APT28 in 2018, exhibits identical keylogging logic with its modern counterpart. This suggests that despite changes over time, the group continues to reuse and adapt existing malware tools.

    The impact of this revelation cannot be overstated. The use of custom-made malware by APT28 underscores the growing threat landscape in the cyber world and highlights the importance of staying informed about emerging risks. As cybersecurity threats continue to evolve, it is essential that organizations and individuals alike take proactive steps to protect themselves against these ever-emerging threats.

    In conclusion, the recent revelation that APT28 has been conducting long-term espionage on Ukrainian forces using custom malware serves as a stark reminder of the importance of staying vigilant in the face of emerging risks. As cybersecurity threats continue to evolve, it is essential that we remain informed and take proactive steps to protect ourselves against these ever-emerging threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/APT28-Conducts-Long-term-Espionage-on-Ukrainian-Forces-Using-Custom-Malware-ehn.shtml

  • https://securityaffairs.com/189230/apt/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html

  • https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html

  • https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customized-variant-of-covenant-open-source-tool/

  • https://en.wikipedia.org/wiki/Fancy_Bear

  • https://cybersecuritynews.com/fancy-bear-hackers-attacking-governments/

  • https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html

  • https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

  • https://attack.mitre.org/groups/G0007/

  • https://www.bitdefender.com/en-us/blog/hotforsecurity/apt28-hackers-exploit-signal-chats-in-latest-malware-campaign-targeting-ukraine

  • https://consumer.ftc.gov/articles/malware-how-protect-against-detect-and-remove-it

  • https://www.virustotal.com/

  • https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps

  • https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/

  • https://www.darkreading.com/vulnerabilities-threats/apt-group-pawn-storm-ratchets-up-attacks

  • https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/


    • Published: Tue Mar 10 11:36:29 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us