In a recent cyber espionage campaign, the Russian state-sponsored group APT28, also known as Fancy Bear, has been targeting Ukrainian government entities by leveraging the Signal messaging platform to distribute two previously undocumented malware strains: BEARDSHELL and COVENANT. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
Attack Overview
The campaign begins with APT28 sending phishing messages via Signal, containing a malicious Microsoft Word document titled Акт.doc (translated as Act.doc). This document is crafted to appear as an official administrative form, increasing the likelihood that recipients will open it. Upon opening the document and enabling macros, the embedded code initiates a multi-stage infection process. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
Infection Chain
1. Macro Execution: The macro drops two files onto the victim’s system: a DLL file named `ctec.dll` and a PNG image file named `windows.png`. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
2. Registry Modification: The macro modifies the Windows Registry to ensure that the malicious DLL is loaded upon the next startup of Windows Explorer (`explorer.exe`). ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
3. Shellcode Execution: When the system is restarted, the DLL is executed, which extracts and runs shellcode hidden within the PNG file. This technique, known as steganography, allows the attackers to conceal malicious code within seemingly innocuous image files. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
4. COVENANT Deployment: The shellcode loads the COVENANT framework into memory. COVENANT is an open-source, .NET-based command-and-control (C2) framework commonly used for post-exploitation activities. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
5. BEARDSHELL Installation: COVENANT then downloads and executes the BEARDSHELL backdoor, a custom C++ malware that provides the attackers with extensive control over the compromised system. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
BEARDSHELL Capabilities
BEARDSHELL is a sophisticated backdoor that enables the following functionalities:
– PowerShell Script Execution: It can download, decrypt, and execute PowerShell scripts, allowing for dynamic code execution and system manipulation. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
– Data Exfiltration: The malware uses the Icedrive API to exfiltrate data from the infected system to the attackers’ command-and-control servers. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
– Persistence Mechanisms: BEARDSHELL employs COM hijacking and scheduled tasks to maintain persistence on the compromised host, ensuring that the attackers retain access even after system reboots. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
COVENANT Framework
COVENANT serves as a modular platform for post-exploitation activities, providing a range of capabilities, including:
– Command Execution: It allows for the execution of arbitrary commands on the infected system.
– Credential Harvesting: The framework can be used to extract credentials stored on the system, facilitating further access to network resources.
– Lateral Movement: COVENANT enables attackers to move laterally within a network, compromising additional systems.
Exploitation of Signal Messenger
While Signal is renowned for its end-to-end encryption and security features, APT28’s use of the platform in this campaign highlights a strategic shift in attack vectors. By leveraging a trusted communication channel, the attackers increase the likelihood of their phishing messages being opened and acted upon. It’s important to note that this exploitation does not indicate a vulnerability within Signal itself but rather the misuse of the platform to deliver malicious content. ([thehackernews.com](https://thehackernews.com/2025/06/apt28-uses-signal-chat-to-deploy.html?utm_source=openai))
Attribution to APT28
APT28, also known by aliases such as Fancy Bear and STRONTIUM, is a cyber espionage group linked to Russia’s military intelligence agency, the GRU. The group’s activities have been well-documented, with a history of targeting government entities, military organizations, and political institutions. Their tactics often involve spear-phishing campaigns, exploitation of zero-day vulnerabilities, and the deployment of custom malware. ([en.wikipedia.org](https://en.wikipedia.org/wiki/Fancy_Bear?utm_source=openai))
Mitigation Recommendations
To defend against such sophisticated attacks, organizations are advised to implement the following measures:
– User Education: Train employees to recognize phishing attempts, especially those delivered through trusted platforms like Signal.
– Macro Policies: Disable macros in Microsoft Office documents by default and only enable them for trusted documents.
– Endpoint Detection: Deploy advanced endpoint detection and response (EDR) solutions to identify and mitigate malicious activities.
– Network Monitoring: Monitor network traffic for unusual patterns, such as unexpected communications with cloud storage services like Icedrive and Koofr.
– Regular Updates: Keep all software and systems updated to patch known vulnerabilities that could be exploited by attackers.
Conclusion
The APT28 campaign targeting Ukrainian government entities via Signal messenger underscores the evolving tactics of state-sponsored threat actors. By exploiting trusted communication platforms and deploying sophisticated malware like BEARDSHELL and COVENANT, these attackers demonstrate a high level of adaptability and persistence. Organizations must remain vigilant, continuously updating their security postures to defend against such advanced threats.
