APT28’s Advanced Cyber Espionage Tactics: Deploying BEARDSHELL and COVENANT Against Ukrainian Military
The Russian state-sponsored hacking group known as APT28 has been actively deploying two sophisticated malware implants, BEARDSHELL and COVENANT, to conduct prolonged surveillance on Ukrainian military personnel since April 2024. This development underscores the evolving cyber threats faced by Ukraine amid ongoing geopolitical tensions.
APT28: A Persistent Cyber Threat
APT28, also referred to by aliases such as Fancy Bear, Sednit, and Sofacy, is linked to Unit 26165 of Russia’s military intelligence agency, the GRU. The group has a notorious history of cyber espionage, targeting governmental and military entities worldwide.
Introduction of BEARDSHELL and COVENANT
In their latest operations, APT28 has incorporated BEARDSHELL and COVENANT into their malware arsenal:
– BEARDSHELL: This backdoor is capable of executing PowerShell commands on compromised systems. Notably, it utilizes the legitimate cloud storage service Icedrive for command-and-control (C2) communications, complicating detection efforts.
– COVENANT: An open-source .NET post-exploitation framework, COVENANT has been extensively modified by APT28 to support long-term espionage activities. Since July 2025, the group has adapted COVENANT to use the Filen cloud storage service for C2 operations, demonstrating their ability to evolve and exploit various cloud platforms.
SLIMAGENT: A Link to Past Operations
Alongside BEARDSHELL and COVENANT, APT28 continues to employ SLIMAGENT, a tool capable of logging keystrokes, capturing screenshots, and collecting clipboard data. First publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025, SLIMAGENT shares code similarities with XAgent, an implant used by APT28 in the 2010s for remote control and data exfiltration. This connection suggests a lineage of tools adapted over time to enhance the group’s cyber capabilities.
Obfuscation Techniques and Operational Security
BEARDSHELL employs a distinctive obfuscation method known as opaque predicate, previously observed in XTunnel, a network traversal tool used by APT28 during the 2016 Democratic National Committee hack. This technique complicates code analysis and detection, reflecting the group’s commitment to maintaining operational security and evading defensive measures.
Evolution of Command-and-Control Infrastructure
APT28’s adaptation of COVENANT to utilize different cloud storage services over time—pCloud in 2023, Koofr in 2024-2025, and Filen since July 2025—demonstrates their strategic approach to C2 infrastructure. By leveraging legitimate services, they aim to blend malicious traffic with normal network activity, thereby reducing the likelihood of detection.
Implications for Cyber Defense
The deployment of BEARDSHELL and COVENANT by APT28 highlights the persistent and evolving cyber threats faced by Ukraine. These developments underscore the necessity for continuous vigilance, advanced threat detection mechanisms, and international cooperation to counteract state-sponsored cyber espionage activities.
