A new espionage campaign orchestrated by the Russian state-sponsored hacking group APT28 has been leveraging custom malware implants, including a modified version of the open-source Covenant post-exploitation tool to spy on Ukrainian organizations.
Also known as Fancy Bear, Forest Blizzard, Strontium, and Sednit, the threat actor has been using the BeardShell and Covenant custom malware implants since April 2024 to conduct long-term surveillance operations against Ukrainian military personnel and government institutions.
The campaign primarily targeted central executive bodies in Ukraine by exploiting the vulnerability CVE-2026-21509 in Microsoft Office, according to ESET. Attackers distributed malicious DOC files that delivered the malware payload once opened.
The activity came to light after the researchers spotted the SlimAgent keylogger on a Ukrainian government system capable of capturing keystrokes, collecting clipboard data, and taking screenshots. During further analysis researchers discovered the BeardShell implant that communicates with attackers through the cloud storage service Icedrive and executes commands using PowerShell within a .NET environment.
BeardShell also implements an obfuscation technique previously seen in Xtunnel, a tool historically associated with APT28 operations during the 2010s.
In recent attacks, BeardShell has been used together with a significantly modified version of the Covenant framework. The altered variant includes deterministic implant identifiers linked to host characteristics, modified execution flows designed to evade behavioral detection, and new cloud-based communication protocols.
Since July 2025, the threat actors have used the cloud storage provider Filen for command-and-control communications; in previous operations they used the Koofr and pCloud cloud storage providers.
ESET says that Covenant now is being used as the primary espionage implant, while BeardShell acts as a fallback tool in case Covenant’s infrastructure is disrupted. Researchers believe the group’s advanced malware development team resumed active development in 2024.
“The sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s developers remain fully capable of producing advanced custom implants. Furthermore, the shared code and techniques linking these tools to their 2010-era predecessors strongly suggest continuity within the development team,” ESET says. “This raises the question of what these developers were doing during all these years, when the security community primarily observed phishing activity from Sednit. One possibility is that advanced development efforts were reactivated following the Russian invasion of Ukraine. Another is that they never stopped working, but instead became more cautious.”