The Russian state-sponsored threat actor known as APT28 has been observed deploying a customized variant of the open-source Covenant post-exploitation framework as part of a long-term espionage campaign. Also tracked as Fancy Bear, Forest Blizzard, Strontium, and Sednit, this advanced persistent threat (APT) group is notorious for its sophisticated cyber-espionage operations against high-value targets, including the German Parliament, French organizations, and various European government networks. According to a new report from cybersecurity firm ESET, since April 2024, the group has employed a dual-implant strategy using malware families dubbed "BeardShell" and the custom Covenant variant to conduct sustained surveillance, particularly targeting Ukrainian military personnel.
The campaign's technical execution reveals a high degree of operational security. The attackers exploited the CVE-2026-21509 vulnerability in Microsoft Office via malicious DOC files to initially compromise central executive bodies in Ukraine. Following the initial breach, the dual-implant approach was activated. BeardShell is a modern implant that uniquely leverages the legitimate cloud storage service Icedrive for its command-and-control (C2) communications, blending malicious traffic with normal web activity to evade detection. Its capabilities include executing PowerShell commands on infected systems. Alongside it, the customized Covenant framework provides a robust, feature-rich post-exploitation toolkit, allowing the attackers to maintain persistent access, move laterally, and exfiltrate data over extended periods.
This activity was uncovered by ESET researchers following the discovery of another implant named "SlimAgent" within a Ukrainian government system. SlimAgent functioned as a keylogger with capabilities for keystroke capture, clipboard data collection, and screenshot capture. The connection between these tools points to a coordinated, multi-faceted espionage operation designed to harvest sensitive intelligence. The use of an open-source tool like Covenant, which is freely available on GitHub, highlights a trend among APT groups to adapt and weaponize legitimate security tools, reducing development time and potentially bypassing security solutions that may whitelist known software.
The broader cybersecurity landscape continues to face significant threats from state-sponsored actors. Concurrently, Microsoft has warned that hackers are increasingly abusing artificial intelligence at every stage of the cyberattack chain, from reconnaissance to sophisticated social engineering. Other notable threats include phishing campaigns abusing DNS and IPv6 protocols to evade defenses, fake AI coding assistant install guides pushing information-stealing malware, and Microsoft Teams phishing delivering the A0Backdoor malware. In response to the evolving threat environment, Microsoft is enhancing its security posture by planning to enable Windows hotpatch security updates by default and adding file-level restore capabilities to Microsoft 365 Backup for faster recovery.
