APT28 Uses BEARDSHELL and COVENANT to Spy on Ukraine

Russian state-sponsored threat actor APT28 has been conducting long-term surveillance of Ukrainian military personnel using a pair of custom implants dubbed BEARDSHELL and COVENANT, according to new ESET research published today. The campaign, active since April 2024, represents yet another escalation in Russia's cyber operations against Ukraine.

APT28—also tracked as Fancy Bear, Forest Blizzard, and Sednit—is attributed to Unit 26165 of the Russian Federation's military intelligence agency GRU. The group has a long history of targeting government, military, and defense organizations worldwide, including the 2016 DNC breach and numerous intrusions against NATO allies.

The Malware Arsenal

ESET's analysis identifies three distinct tools in APT28's current Ukrainian operations:

BEARDSHELL functions as a PowerShell-based backdoor that executes commands on compromised systems. The implant communicates with command-and-control infrastructure using Icedrive cloud storage, blending malicious traffic with legitimate cloud service usage. Researchers noted that BEARDSHELL employs an opaque predicate obfuscation technique also found in XTunnel, a known APT28 tool—providing strong attribution evidence.

COVENANT started as an open-source .NET post-exploitation framework but has been heavily modified for espionage purposes. After the legitimate project's development ceased in April 2021, APT28 adapted it for persistent access to victim networks. The group has cycled through multiple cloud storage providers for C2: pCloud in 2023, Koofr from 2024 to early 2025, and Filen since July 2025.

SLIMAGENT handles data collection duties, capturing keystrokes, taking screenshots, and harvesting clipboard contents. The tool produces HTML-formatted intelligence logs with color-coded output—suggesting operationally mature processes for reviewing stolen data at scale.

Attribution Chain

The connection between these implants and APT28 rests on multiple technical indicators:

• Shared obfuscation techniques between BEARDSHELL and the XTunnel backdoor, first documented in APT28 operations between 2014-2018
• Code-level similarities between SLIMAGENT and historical XAgent samples
• Infrastructure overlap across attack campaigns
• Consistent targeting patterns matching APT28's operational history

This isn't the first time we've covered APT28's recent operations. The group exploited MSHTML zero-day CVE-2026-21513 before Microsoft's February 2026 patch, and earlier targeted European maritime and transport agencies using weaponized Office documents.

Cloud Infrastructure Abuse Continues

APT28's pivot to cloud storage services for C2 communications reflects a broader trend among advanced threat actors. By routing malicious traffic through legitimate platforms like Icedrive and Filen, the group makes network-based detection significantly harder. Organizations can't simply block these services without disrupting legitimate business operations.

The technique mirrors approaches we've seen from other nation-state actors. Silver Dragon, a China-linked APT, similarly abuses Google Drive for command-and-control in operations across Europe and Southeast Asia.

The Bigger Picture

This campaign fits into Russia's sustained cyber offensive against Ukraine, which has intensified since the 2022 invasion. Ukrainian military communications, logistics systems, and personnel have been constant targets. The discovery that APT28 has maintained persistent access since April 2024 indicates these operations are designed for strategic intelligence collection rather than short-term disruption.

The use of surveillance-focused tools like SLIMAGENT—rather than destructive malware—suggests the campaign prioritizes intelligence gathering over immediate operational impact. This is classic espionage tradecraft: maintain quiet access and collect data over extended periods.

Recommendations

Organizations with any connection to Ukrainian defense operations should:

1. Monitor cloud storage traffic for anomalous patterns, particularly to services like Icedrive, Filen, and Koofr
2. Hunt for PowerShell execution with characteristics matching BEARDSHELL: encoded commands, hidden windows, and connections to cloud APIs
3. Review endpoint logs for clipboard access patterns consistent with SLIMAGENT behavior
4. Implement behavioral detection for .NET framework abuse, especially modified post-exploitation tools

The full technical report from ESET includes additional indicators of compromise for threat hunting and detection engineering. For defenders tracking APT28's evolution, this campaign demonstrates the group's continued investment in purpose-built tooling while maintaining operational security through cloud infrastructure abuse.

Understanding the techniques state-sponsored actors use is foundational to defense. For deeper context on Russian cyber operations, including the Sandworm group's destructive campaigns, see our recommended cybersecurity reading.