The Russian state-sponsored advanced persistent threat (APT) group known as APT28 has been conducting a long-term surveillance operation targeting Ukrainian military personnel, utilizing a suite of sophisticated malware implants. According to a new report from cybersecurity firm ESET, shared with The Hacker News, the group has employed two primary implants, BEARDSHELL and COVENANT, since at least April 2024. APT28, which operates under numerous aliases including Fancy Bear, Forest Blizzard, and Sofacy, is attributed to Unit 26165 of Russia's military intelligence agency, the GRU. This campaign underscores the group's continued focus on Ukrainian targets amid the ongoing conflict, leveraging evolved tools to maintain persistent access and gather sensitive intelligence.
The malware arsenal deployed in this campaign is multifaceted. Alongside BEARDSHELL and COVENANT, the attackers used a program codenamed SLIMAGENT, a potent surveillance tool capable of logging keystrokes, capturing screenshots, and harvesting data from a victim's clipboard. SLIMAGENT was first publicly documented by Ukraine's Computer Emergency Response Team (CERT-UA) in June 2025. ESET's analysis reveals that SLIMAGENT has direct lineage from XAgent, a well-known implant used extensively by APT28 in the past decade for remote control and data exfiltration. Code similarities link SLIMAGENT to previously unidentified samples used in attacks against governmental entities in two European countries as early as 2018, suggesting a long-term development and refinement cycle for this espionage tool.
Technical analysis of SLIMAGENT shows a deliberate design for stealth and functionality. The malware emits its collected espionage logs in HTML format, with a distinctive color scheme: the application name in blue, logged keystrokes in red, and the active window name in green. This specific formatting is a direct carryover from the older XAgent keylogger, which produced HTML logs using the identical color pattern. This artifact provides a clear forensic link between the historical and current tooling of the group. The deployment of SLIMAGENT was facilitated by another component, the BEARDSHELL backdoor, which is designed to execute PowerShell commands on compromised systems, providing the attackers with a flexible and powerful command-and-control mechanism.
The persistent use of these tools, with roots tracing back nearly a decade, demonstrates APT28's commitment to maintaining and modernizing its cyber espionage capabilities. The integration of BEARDSHELL to run PowerShell commands indicates an adaptation to modern IT environments, leveraging trusted system utilities to avoid detection. This campaign is a stark reminder of the sophisticated, state-sponsored threat facing Ukrainian infrastructure and its allies. Defenders must remain vigilant for these evolved tactics, techniques, and procedures (TTPs), which blend old code signatures with new delivery methods to achieve long-term intelligence gathering objectives against high-value military targets.
