APT28 Employs BEARDSHELL and COVENANT Malware in Ongoing Espionage Against Ukrainian Military

Key Findings

APT28, a Russian state-sponsored hacking group, has been observed using a pair of custom malware implants called BEARDSHELL and COVENANT for long-term surveillance of Ukrainian military personnel since April 2024.
The malware families showcase the group's continued capabilities in developing advanced custom tools for espionage operations.
BEARDSHELL is a C++ backdoor that downloads and executes PowerShell scripts, sending results via the Icedrive cloud storage service.
SLIMAGENT, another implant linked to APT28, is found to have evolved from the group's earlier XAgent keylogger, exhibiting strong code similarities.
COVENANT, an open-source .NET post-exploitation framework, has been heavily modified by APT28 to support long-term espionage and leverage cloud services like Filen for command-and-control.

APT28, also known as Fancy Bear, is a prolific Russian state-sponsored hacking group affiliated with the Russian military intelligence agency GRU.
The group has targeted governments, militaries, and security organizations worldwide since at least 2007.
APT28 was involved in the 2016 attacks on the U.S. Democratic National Committee (DNC) and has a long history of sophisticated cyber espionage operations.

BEARDSHELL is a C++ backdoor that can download and execute PowerShell scripts, sending the results back to the attacker via the Icedrive cloud storage service.
The malware creates a unique folder on each infected machine based on system identifiers to maintain persistence.
BEARDSHELL employs a rare obfuscation technique called "opaque predicate," which has also been observed in XTunnel, a tool used by APT28 in the 2016 DNC hack.

SLIMAGENT is another implant linked to APT28, capable of capturing screenshots, logging keystrokes, and collecting clipboard data.
Analysis shows that SLIMAGENT has evolved from the group's earlier XAgent keylogger, with strong code similarities, including identical keylogging logic and HTML-based logging.
The SLIMAGENT samples deployed in 2024 exhibit additional features, such as data encryption, compared to the 2018 samples, indicating the group's continued development efforts.

COVENANT is an open-source .NET post-exploitation framework that has been heavily modified by APT28 to support long-term espionage operations.
The group has adapted COVENANT to use cloud storage services like Filen for command-and-control communications, demonstrating their expertise in leveraging and customizing publicly available tools.
The COVENANT variant used by APT28 has been in use since at least 2023, with the group successfully relying on it for several years, particularly in targeting Ukrainian organizations.

https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html
https://securityaffairs.com/189230/apt/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html
https://www.reddit.com/r/SecOpsDaily/comments/1rpv2im/apt28_uses_beardshell_and_covenant_malware_to_spy/
https://x.com/CSec88/status/2031363112746758432
https://x.com/TheCyberSecHub/status/2031336854885380296
https://www.linkedin.com/posts/dlross_apt28-uses-beardshell-and-covenant-malware-activity-7437240894883532800-Cja1