Full Report
The Russian state-sponsored hacking group tracked as APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long‑term surveillance of Ukrainian military personnel. The two malware families have been put to use since April 2024, ESET said in a new report shared with The Hacker News. APT28, also tracked as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa,
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
* **Actor Name:** APT28
* **Affiliation:** Russian Federation's military intelligence agency (GRU), specifically **Unit 26165**.
* **Known Aliases:** Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
## Activity Summary
Since April 2024, APT28 has been engaged in a sustained espionage campaign targeting Ukrainian military personnel. The operation utilizes a "dual-implant" strategy to ensure long-term persistence and surveillance. Notable recent activity includes the deployment of custom backdoors (BEARDSHELL) and modified open-source frameworks (COVENANT) to exfiltrate data and monitor victim activity.
## Tactics, Techniques & Procedures
* **Obfuscation:** Use of **Opaque Predicates**, a distinctive obfuscation technique previously seen in the actor's XTunnel tool.
* **Living-off-the-Cloud (LotC):** Abusing legitimate cloud storage services for Command and Control (C2) to bypass network security filters.
* **Persistence:** Use of dual-implant strategies where multiple backdoors are deployed to maintain access if one is detected.
* **Post-Exploitation:** Deployment of modified versions of discontinued open-source frameworks (Covenant).
* **Data Collection:** Keystroke logging, screenshot capturing, and clipboard data collection.
* **Log Formatting:** Espionage logs are emitted in HTML format with specific color-coding (Blue for app name, Red for keystrokes, Green for window name).
* **Execution:** Execution of PowerShell commands via specialized backdoors.
## Targeting
* **Sectors:** Military, Government.
* **Geography:** Ukraine (Primary focus); historically European countries (Poland mentioned) and the United States (DNC).
* **Victims:** Ukrainian military personnel and government entities in Europe.
## Tools & Infrastructure
* **Malware Families:**
* **BEARDSHELL:** A custom backdoor capable of executing PowerShell commands.
* **COVENANT:** A heavily modified .NET post-exploitation framework.
* **SLIMAGENT:** A modern evolution of the **XAgent** implant used for keylogging and data theft.
* **XTunnel (X-Tunnel):** A network traversal and pivoting tool.
* **Graphite:** A backdoor previously used in similar campaigns.
* **Infrastructure (C2):**
* **Icedrive:** Cloud storage used for BEARDSHELL C2.
* **Filen:** Cloud storage used for COVENANT C2 (since July 2025).
* **pCloud / Koofr:** Cloud services used for C2 in 2023-2025.
* **Defanged C2 Example:** `hxxps[://]icedrive[.]net`, `hxxps[://]filen[.]io`
## Implications
APT28 remains one of the most sophisticated and persistent threats to Ukrainian and European security. Their ability to repurpose and modernize older codebases (XAgent to SLIMAGENT) and adapt defunct open-source tools (Covenant) demonstrates high technical proficiency and resourcefulness. The transition to cloud-based C2 infrastructure makes detection significantly more difficult for standard perimeter defenses, as the traffic often blends with legitimate business use of cloud storage.
## Mitigations
* **Cloud Service Monitoring:** Monitor and potentially restrict traffic to niche cloud storage providers (Icedrive, Filen, Koofr, pCloud) if they are not part of the standard corporate environment.
* **Endpoint Detection and Response (EDR):** Deploy EDR solutions to detect the execution of unauthorized PowerShell commands and the use of "opaque predicate" obfuscation.
* **Credential Protection:** Implement robust multi-factor authentication (MFA) to prevent lateral movement and unauthorized access to military/government communications.
* **Threat Hunting:** Specifically look for HTML-formatted logs stored locally or exfiltrated, particularly those using distinctive color schemes (Blue/Red/Green) in the code.