INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

APT28 Conducts Long-Term Espionage on Ukrainian Forces Using Custom Malware

| 2026-03-10 15:14 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
A Russia-linked group, APT28, has been conducting long-term surveillance of Ukrainian military personnel using advanced malware tools. The group operates out of the Russian General Staff Main Intelligence Directorate's 26165 unit and employs tactics such as phishing campaigns and unauthorized access to government email accounts. Recent incidents include a recent phishing campaign linked to Russia that targets Ukrainian organizations with two new malware families, BadPaw and MeowMeow. Researchers have also found evidence of APT28 using custom implants designed to maintain persistent access and collect sensitive information from targeted systems since April 2024. The group's use of advanced tools such as BEARDSHELL and COVENANT has allowed them to evade detection for years, making it a significant threat to Ukraine's national security.
Technical Mitigations AI-generated
* Implement a cloud-first security strategy: Organizations should consider moving their sensitive data to the cloud, where it can be more securely stored and accessed. This includes using cloud-based services like Icedrive for file sharing and encryption tools like AES. * Use robust antivirus software: Install and regularly update antivirus software that is specifically designed to detect and remove malware from various types of threats, including those used by APT28. * Regularly back up sensitive data: Ensure that all critical data is backed up regularly, both locally and in the cloud. This will help prevent data loss in case of a cyber attack or system failure. * Monitor for suspicious activity: Implement monitoring tools to detect any unusual activity on systems, including those related to APT28's BEARDSHELL and COVENANT malware. This can include network traffic analysis and log file review. * Use secure coding practices: Developers should adhere to best practices for secure coding, such as using strong encryption methods like ChaCha20-Poly1305 in their code, and avoiding common vulnerabilities like buffer overflows.
Technical Observables
gov.ua
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
APT28APT28 X-TunnelX-TunnelXagentXagentSednitSednitSofacySofacyXTunnelXTunnel
Target & Sectors
NORTH_AMERICA NORTH_AMERICA governmentgovernment defensedefense
Incident Timeline
at least 2007
APT28 used custom malware to conduct long-term espionage on Ukrainian forces.
threat_actor APT28
The  APT28  group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide.
late 2014
Threat actors used XAgent to conduct long-term espionage on Ukrainian forces using custom malware.
tactic Keylogging
It's assessed that the 2018 artifacts and the 2024 SLIMAGENT sample originated from XAgent, with ESET's analysis uncovering overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014.
organisation XAgent
It's assessed that the 2018 artifacts and the 2024 SLIMAGENT sample originated from XAgent, with ESET's analysis uncovering overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014.
at least 2018
Threat actors used SLIMAGENT to conduct long-term espionage on Ukrainian forces.
tactic Espionage
Evidence suggests SLIMAGENT has been deployed as a standalone espionage tool since at least 2018.
April 2021
Sednit developed and used custom malware to conduct long-term espionage on Ukrainian forces.
malware Sednit
"These adaptations show that Sednit developers acquired deep expertise in Covenant – an implant whose official development ceased in April 2021 and may have been considered unused by defenders," ESET said.
April 2024
APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel.
threat_actor APT28
APT28 conducts long-term espionage on Ukrainian forces using custom malware APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel, enabling long-term surveillance since April 2024.
The Russia-linked group APT28 (aka UAC-0001, aka  Fancy Bear ,  Pawn Storm ,  Sofacy Group ,  Sednit , BlueDelta, and  STRONTIUM ) has used BEARDSHELL and COVENANT malware to conduct long-term surveillance of Ukrainian military personnel.
target_region Ukraine
APT28 conducts long-term espionage on Ukrainian forces using custom malware APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel, enabling long-term surveillance since April 2024.
tactic Espionage
APT28 conducts long-term espionage on Ukrainian forces using custom malware APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel, enabling long-term surveillance since April 2024.
organisation ESET
According to ESET, the campaign began in April 2024 and relies on custom implants designed to maintain persistent access and collect sensitive information from targeted systems.
The two malware families have been put to use since April 2024, ESET said in a new report shared with The Hacker News.
malware Sednit
“Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience.” reads the report published by ESET.
organisation The Hacker News
The two malware families have been put to use since April 2024, ESET said in a new report shared with The Hacker News.
organisation BlueDelta
The Russia-linked group APT28 (aka UAC-0001, aka  Fancy Bear ,  Pawn Storm ,  Sofacy Group ,  Sednit , BlueDelta, and  STRONTIUM ) has used BEARDSHELL and COVENANT malware to conduct long-term surveillance of Ukrainian military personnel.
infrastructure Windows
SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames.
organisation AES
SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames.
organisation RSA
SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames.
organisation ChaCha20-Poly1305
BEARDSHELL downloads, decrypts (using ChaCha20-Poly1305), and runs PowerShell scripts, sending results via the Icedrive API.
organisation APT
Both tools are stealthy, use strong encryption, and exploit legitimate cloud services to avoid detection, highlighting modern APT tactics.
organisation SlimAgent
“SlimAgent includes several features that were absent from the 2018 samples, such as encryption of the collected logs.
May 2025
APT28 used custom malware, specifically BeardShell and Covenant, to conduct long-term espionage on Ukrainian forces.
target_region Ukraine
In May 2025, ESET researchers reported unauthorized access to an email account in the Ukrainian government’s gov.ua domain.
industry Government
In May 2025, ESET researchers reported unauthorized access to an email account in the Ukrainian government’s gov.ua domain.
observable gov.ua
In May 2025, ESET researchers reported unauthorized access to an email account in the Ukrainian government’s gov.ua domain.
organisation ClearSky
Recently, ClearSky researchers reported a phishing campaign linked to Russia that targets Ukrainian organizations using two new malware families, BadPaw and MeowMeow.
organisation BadPaw
Recently, ClearSky researchers reported a phishing campaign linked to Russia that targets Ukrainian organizations using two new malware families, BadPaw and MeowMeow.
threat_actor APT28
Analysis shows that SLIMAGENT likely evolved from the XAgent keylogger long used by APT28.
ESET noted that BEARDSHELL uses a rare obfuscation method called opaque predicate , previously seen in XTunnel , a tool used by APT28 during the Democratic National Committee hack.
The cybersecurity firm reports that developers behind APT28 have developed strong expertise in the Covenant framework, despite its official development ending in 2021.
organisation Analysis
Analysis shows that SLIMAGENT likely evolved from the XAgent keylogger long used by APT28.
organisation XAgent
Analysis shows that SLIMAGENT likely evolved from the XAgent keylogger long used by APT28.
organisation the Democratic National Committee
ESET noted that BEARDSHELL uses a rare obfuscation method called opaque predicate , previously seen in XTunnel , a tool used by APT28 during the Democratic National Committee hack.
organisation tandem
“we have shown that Sednit’s advanced development team is active once again, operating an arsenal centered on two implants – BeardShell and Covenant – deployed in tandem and each leveraging a different cloud provider.” concludes the report.
organisation HTA
When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Russia)
organisation Filen
Another tool, COVENANT, has been heavily modified to support long-term espionage and uses cloud services like Filen for command-and-control communications.
organisation HTML
Researchers found strong code similarities, including identical keylogging logic and HTML-based logging with the same color scheme for captured data.
June 2025
Threat actors used custom malware to conduct long-term espionage on Ukrainian forces.
target_region Ukraine
SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
attribution CERT-UA
SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
attribution the Computer Emergency Response Team of Ukraine
SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025.
July 2025
Threat actors used COVENANT, an open-source .NET post-exploitation framework, to conduct long-term espionage on Ukrainian forces.
tactic Espionage
A third major piece of the threat actor's toolkit is COVENANT, an open-source .NET post-exploitation framework that has been "heavily" modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025.
organisation Filen
A third major piece of the threat actor's toolkit is COVENANT, an open-source .NET post-exploitation framework that has been "heavily" modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025.
the 2010s
Threat actors used APT28 custom malware to conduct long-term espionage on Ukrainian forces.
threat_actor APT28
SLIMAGENT, per the Slovakian cybersecurity company, has its roots in XAgent , another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration .
tactic Exfiltration
SLIMAGENT, per the Slovakian cybersecurity company, has its roots in XAgent , another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration .
Mar 10, 2026
Threat actors used custom malware to conduct long-term espionage on Ukrainian forces.
2024-2025
Threat actors used Koofr to target Ukrainian forces using custom malware.
threat_actor APT28
Previously, APT28's COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025).
organisation Koofr
Previously, APT28's COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025).
2026-03-10
APT28, also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is a nation-state actor affiliated with Unit 26165 of the Russian Federation's military intelligence agency GRU.
threat_actor APT28
 Ravie Lakshmanan  Mar 10, 2026 Cyber Espionage / Threat Intelligence The Russian state-sponsored hacking group tracked as APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long‑term surveillance of Ukrainian military personnel.
APT28 conducts long-term espionage on Ukrainian forces using custom malware.
APT28, also tracked as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is a nation-state actor affiliated with Unit 26165 of the Russian Federation's military intelligence agency GRU.
In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia.
APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military.
A noteworthy aspect of the malware is that it utilizes a distinctive obfuscation technique referred to as opaque predicate , which is also found in XTunnel (aka X-Tunnel), a network traversal and pivoting tool used by APT28 in the 2016 Democratic National Committee (DNC) hack.
organisation Spy on Ukrainian Military
APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military.
organisation DNC
A noteworthy aspect of the malware is that it utilizes a distinctive obfuscation technique referred to as opaque predicate , which is also found in XTunnel (aka X-Tunnel), a network traversal and pivoting tool used by APT28 in the 2016 Democratic National Committee (DNC) hack.
organisation HTML
"SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively," ESET said.
Tactical Metrics
Metrics
infrastructure
​Windows
Affected Product
SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames.
Intelligence Sources
Security Affairs 2026-03-10
The Hacker News 2026-03-10