Ukraine’s national cybersecurity team CERT-UA has attributed a series of sophisticated cyberattacks against government institutions to UAC-0001 (more commonly known as APT28), a threat actor linked to Russian military intelligence. The incidents, which occurred between March and May 2024, involved advanced malware tools including Beardshell, Slimagent, and components of the Covenant framework.
During an investigation of a cyber incident affecting the information and communication system (ICS) of a central executive authority, CERT-UA discovered a compromised Windows-based server running malicious programs Beardshell and Slimagent.
Beardshell is a backdoor written in C++ that allows attackers to load and execute encrypted PowerShell scripts via Icedrive API. Each compromised machine is assigned a unique identifier based on its hardware profile.
Slimagent, also written in C++, is designed to take screenshots, encrypt them using AES and RSA, and store them locally. The method of initial compromise remained unclear during early investigations.
In May 2025, ESET reported unauthorized access to a government email account, prompting further response efforts. A deeper analysis showed that the Covenant framework was used alongside Beardshell.
Investigators traced the attack to a malicious document titled "Akt.doc", distributed via Signal messenger. The document contained a macro that, when activated, installed malware components through a COM-hijacking technique, setting up persistence through Windows registry manipulation.
The macro dropped a DLL named ctec.dll, which decrypted and executed shellcode from a disguised PNG file, ultimately launching the Covenant agent and later the Beardshell backdoor. This setup used legitimate services Koofr and Icedrive as communication channels.
