Ethical Hacking News
Apt28 Uses Advanced Malware to Conduct Long-Term Surveillance on Ukrainian Military Personnel
APT28 (Blue Athena or Fancy Bear) has been using BEARDSHELL and COVENANT malware to conduct long-term surveillance on Ukrainian military personnel since April 2024. The group's malware arsenal consists of tools like SLIMAGENT, which can log keystrokes, capture screenshots, and collect clipboard data. SLIMAGENT has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. APT28's toolkit has been heavily modified to support long-term espionage, with COVENANT and SLIMAGENT demonstrating the group's expertise and adaptability. The shared use of rare obfuscation techniques highlights APT28's sophistication and ability to evade detection.
The world of cybersecurity is constantly evolving, with new threats emerging every day. In recent times, there has been a notable increase in nation-state sponsored hacking groups using various forms of malware to spy on government officials, military personnel, and other high-profile targets. One such group, APT28, also known as Blue Athena or Fancy Bear, has recently come under scrutiny for its use of BEARDSHELL and COVENANT malware to conduct long-term surveillance on Ukrainian military personnel.
According to a recent report by ESET, a Slovakian cybersecurity company, APT28 has been using these two malware families since April 2024. The report states that the group's malware arsenal consists of tools like BEARDSHELL and COVENANT, along with another program codenamed SLIMAGENT that is capable of logging keystrokes, capturing screenshots, and collecting clipboard data. This information highlights the level of sophistication and expertise possessed by APT28, a nation-state actor affiliated with Unit 26165 of the Russian Federation's military intelligence agency GRU.
SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. The report notes that SLIMAGENT has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. This is based on code similarities discovered between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018.
The report further states that ESET's analysis uncovered overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014. "SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively," ESET said. "The XAgent keylogger also produces HTML logs using the same color scheme." This information suggests that APT28 has developed a sophisticated malware suite that can capture sensitive data from its targets.
A third major piece of the threat actor's toolkit is COVENANT, an open-source .NET post-exploitation framework that has been "heavily" modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025. Previously, APT28's COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025). These adaptations show that Sednit developers acquired deep expertise in Covenant – an implant whose official development ceased in April 2021 and may have been considered unused by defenders.
The shared use of this rare obfuscation technique, combined with its colocation with SLIMAGENT, leads us to assess with high confidence that BEARDSHELL is part of Sednit's custom arsenal," ESET added. This is not the first time the adversarial collective has embraced the dual-implant strategy. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia.
The implications of this report are significant, as they highlight the level of sophistication and expertise possessed by APT28. The use of BEARDSHELL and COVENANT malware to conduct long-term surveillance on Ukrainian military personnel demonstrates the group's ability to develop highly advanced tools that can evade detection. This is a stark reminder of the ongoing threat posed by nation-state actors in the world of cybersecurity.
The threat actor's toolkit has been heavily modified to support long-term espionage, as evidenced by COVENANT and SLIMAGENT. These modifications demonstrate the level of expertise possessed by Sednit developers, who have acquired deep knowledge of Covenant – an implant whose official development ceased in April 2021. The shared use of this rare obfuscation technique, combined with its colocation with SLIMAGENT, leads us to assess with high confidence that BEARDSHELL is part of Sednit's custom arsenal.
The fact that APT28 has been using these two malware families since April 2024 highlights the group's persistence and adaptability. The use of COVENANT as a cloud-based network protocol abuses the Filen cloud storage service for C2 since July 2025, demonstrating the group's willingness to experiment with new techniques. This is not the first time APT28 has deployed Graphite or PowerShell Empire in attacks targeting high-ranking government officials.
The report from ESET highlights the level of sophistication and expertise possessed by APT28. The use of BEARDSHELL and COVENANT malware to conduct long-term surveillance on Ukrainian military personnel demonstrates the group's ability to develop highly advanced tools that can evade detection. This is a stark reminder of the ongoing threat posed by nation-state actors in the world of cybersecurity.
In conclusion, this report provides valuable insights into the tactics, techniques, and procedures (TTPs) employed by APT28. The use of BEARDSHELL and COVENANT malware to conduct long-term surveillance on Ukrainian military personnel highlights the group's ability to develop highly advanced tools that can evade detection. This is a stark reminder of the ongoing threat posed by nation-state actors in the world of cybersecurity.
The report from ESET also sheds light on the level of expertise possessed by Sednit developers, who have acquired deep knowledge of Covenant – an implant whose official development ceased in April 2021. The shared use of this rare obfuscation technique, combined with its colocation with SLIMAGENT, leads us to assess with high confidence that BEARDSHELL is part of Sednit's custom arsenal.
This information highlights the ongoing threat posed by nation-state actors in the world of cybersecurity. As APT28 continues to adapt and evolve, it is essential for cybersecurity professionals to stay vigilant and keep pace with the latest threats. The use of advanced malware like BEARDSHELL and COVENANT underscores the need for robust security measures and a strong defense strategy.
In the future, we can expect to see more sophisticated attacks from APT28 and other nation-state actors. As such, it is crucial that cybersecurity professionals remain proactive in identifying and mitigating these threats. By staying informed about the latest developments and TTPs employed by threat actors like APT28, we can better protect ourselves and our organizations against the ever-evolving landscape of cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/APT28s-Sophisticated-Espionage-Tactics-Unpacking-the-BEARDSHELL-and-COVENANT-Malware-Implications-ehn.shtml
https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html
https://vulners.com/thn/THN:1B8324488DAF3C6D08D80E3E532937AC
Published: Tue Mar 10 08:41:00 2026 by llama3.2 3B Q4_K_M
