APT28 Uses BEARDSHELL and COVENANT Malware for Espionage
ESET, a Slovakian cybersecurity company, has released a new report revealing that the Russian state-sponsored hacking group APT28 has been using two malware implants, BEARDSHELL and COVENANT, to conduct long-term surveillance on Ukrainian military personnel since April 2024.
APT28, also known by various aliases such as Blue Athena, BlueDelta, and Fancy Bear, is a nation-state actor associated with Unit 26165 of the Russian Federation’s military intelligence agency GRU. The group has been known to employ a range of sophisticated tools to carry out cyber espionage and other malicious activities.
SLIMAGENT: A New Addition to APT28’s Arsenal
Alongside BEARDSHELL and COVENANT, APT28 has also been using a program codenamed SLIMAGENT, which is capable of logging keystrokes, capturing screenshots, and collecting clipboard data. SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
ESET’s analysis indicates that SLIMAGENT has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. The company found code similarities between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018.
Techniques and Capabilities
SLIMAGENT is designed to emit espionage logs in HTML format, with the application name, logged keystrokes, and window name highlighted in blue, red, and green, respectively. This is consistent with the keylogging functionality of XAgent, which also produces HTML logs using the same color scheme.
BEARDSHELL, another backdoor used in conjunction with SLIMAGENT, is capable of executing PowerShell commands on compromised hosts. It leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communications.
COVENANT: An Open-Source Framework with Custom Modifications
APT28’s toolkit also includes COVENANT, an open-source .NET post-exploitation framework that has been heavily modified to support long-term espionage. Since July 2025, COVENANT has been using a new cloud-based network protocol that abuses the Filen cloud storage service for C2.
Previously, APT28’s COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025). This adaptation demonstrates that Sednit developers have acquired deep expertise in Covenant, an implant whose official development ceased in April 2021.
Historical Context and Dual-Implant Strategy
This is not the first time APT28 has employed a dual-implant strategy. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia.
These findings highlight the evolving nature of APT28’s tactics and the ongoing threat posed by the group to military and governmental targets.
元記事: https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html