In recent months, the contours
of cyber warfare have once again become clearer as APT28 - an agent of Russian intelligence that has operated in Ukraine for a number of years - elicits renewed precision and technological sophistication in its operations against Ukrainian defense networks.
Fancy Bear has been referred to by multiple aliases, including Sednit, Forest Blizzard, Unit 26165, and TA422, throughout the cybersecurity community due to its ability to adapt to geopolitical objectives when necessary.
With its latest campaign, APT28 has implemented a dual-pronged malware strategy based on innovation and intent.
The company has deployed an undocumented backdoor, BEARDSHELL, alongside a heavily customized implementation of the open-source post-exploitation framework COVENANT, which has been heavily customized.
The development indicates a calculated effort to refine persistence, avoid detection, and gain deeper operational footholds in sensitive military environments by modifying tactics, evading detection, and improving operational capabilities.
Designed specifically for stealth and long-term access, BEARDSHELL works in conjunction with the modified COVENANT toolkit, which has been modified to better suit the group's command-and-control requirements and operational procedures. Combined, these tools represent a growing trend toward modular and adaptable malware ecosystems that can be tailored to specific target and mission requirements.
It is becoming increasingly apparent that as the conflict in Ukraine continues to escalate into the digital realm, state-backed actors are utilizing cyber capabilities in a variety of ways, often invisible but profoundly consequential, to gather intelligence and shape the strategic landscape.
The campaign illustrates a tightly coordinated intrusion chain designed to penetrate Ukrainian military and government networks with minimal friction and maximum persistence based on this operational shift.
Based on the investigations conducted, it has been determined that the activities attributed to APT28 are mainly directed towards central executive bodies, where access to strategic communications and operational data provides a valuable source of information.
As part of the initial compromise, spear-phishing lures are developed that masquerade as routine administrative or defense correspondence, distributed via email as well as encrypted messaging channels such as Signal, which are often distributed using spear-phishing lures. Upon opening the weaponized Office documents, these messages initiate a fileless infection sequence that is designed to evade conventional endpoint defenses.
It is comprised of a memory-resident backdoor derived from a substantially altered variant of the Covenant framework which has been repurposed to serve as a discreet loader for further payloads. During this stage, bespoke implants, such as BeardShell and SlimAgent, are deployed.
The latter bears architectural resemblance to the earlier XAgent toolkit developed by the group in the past.
The combination of these components creates a robust surveillance environment within compromised systems, facilitating continuous data collection of keystrokes, screen captures, and clipboards.
Exfiltrating intelligence is organized into HTML-based logs that include color-coded segmentation for rapid parsing and prioritization by operators. It is noteworthy that the group has implemented a command-and-control infrastructure that meets their requirements.
A number of cloud storage platforms, including pCloud, Koofr, Filen, and Icedrive, are used by the attackers to relay instructions and store stolen data rather than using servers that are easily identifiable.
As a result, malicious activity is blended with routine user activity, resulting in significantly tampering with detection efforts.
Based on the forensic analysis of these cloud-linked accounts, it has been determined that certain Ukrainian systems have been continuously monitored for extensive periods of time, demonstrating APT28's ability to collect intelligence in high-value environments in a low-visibility manner.
Moreover, the researchers at ESET have provided additional technical insight into the operation, tracing its deployment to at least April 2024, when a structured, sustained intrusion effort began. According to their findings, the coordinated use of BeardShell and Covenant was not an accident, but intentionally designed to provide prolonged, low-noise surveillance of Ukrainian military personnel and government organizations.
Recent incidents have indicated that the infection chain exploits a vulnerability tracked as CVE-2026-21509, which is embedded within malicious DOC files designed to execute code upon opening. In the end, SlimAgent, a surveillance-focused implant that was identified within a compromised Ukrainian government system, enabled the discovery of this implant, which was capable of collecting keystrokes, clipboard contents, and screen captures systematically without causing immediate suspicion.
According to the subsequent analysis, BeardShell is a modern, modular backdoor that emphasizes stealth and flexibility. Icedrive's infrastructure is utilized to communicate with commands and controls. Remote PowerShell commands are executed within a managed .NET runtime environment using this infrastructure.
An obfuscation method previously associated with Xtunnel, a network pivot utility historically connected to APT28's earlier campaigns is included in its internal design, demonstrating a deliberate reuse of proven techniques. Meanwhile, the Covenant framework is used as the primary operational implant, having been reworked from its original open-source version.
There have also been changes observed in the generation of deterministic identifiers linked to host-specific attributes, in the execution logic intended to bypass behavioral detection engines, as well as the integration of cloud-based communication channels. As part of the group's infrastructure strategy, Koofr and pCloud have gradually been replaced by newer platforms such as Filen beginning mid-2025.
As a result of this architecture, Covenant serves as the primary access mechanism, while BeardShell serves as a contingency tool to ensure operations continue even in cases of partial detection or remediation. Further extending the scope of the analysis, researchers have also highlighted that the threat actor's toolkit reflects a deliberate blend of legacy codebases and newly developed capabilities, reflecting a deliberate combination of heritage codebases and newly developed capabilities.
SLIMAGENT, an implant that was formally disclosed by the CERT-UA in mid-2025 and examined in greater detail by ESET in the following year. With SLIMAGENT, granular data collection is possible through keystroke logging, screenshot capture, and clipboard harvesting, effectively turning compromised systems into persistent intelligence gathering nodes. It is designed for continuous data collection with granular data collection capabilities.
SLIMAGENT is distinguished by more than its functionality; it is also distinguished by its lineage. Based on technical comparisons, SLIMAGENT does not appear to be a completely new development, but rather is an evolution of APT28's earlier XAgent toolset, which was widely deployed by the group during the 2010s.
In support of this assessment, code-level similarities have been identified across multiple samples, including artifacts recovered from early-2018 intrusion campaigns targeting European governmental entities. Moreover, the correlation between the keylogging routines and an XAgent variant observed in late 2014 suggests an ongoing development rather than a one-time invention of the routines, suggesting continuity of development. The structured formatting of exfiltrated data remains one of the most distinctive features across these generations.
The SLIMAGENT surveillance software, like its predecessor, compiles its output into HTML-formatted logs, utilizing a consistent color code scheme to distinguish between application identification numbers, captured keystrokes, and active window titles.
As a result of this seemingly inconsequential design choice, operators now benefit from a streamlined interface to speed up the data triage process, thereby reinforcing the campaign's operational efficiency.
Additionally, BEARDSHELL's backdoor function as an execution layer within the compromised environment, facilitating remote command delivery via PowerShell within a controlled .NET environment in conjunction with SLIMAGENT's data collection capabilities.
By relying on Icedrive for command-and-control, the group maintains covert access while minimizing detection risk while continuing its emphasis on blending malicious activity with legitimate network traffic.
All of these findings reinforce that organizations operating in geopolitical environments characterized by high levels of risk, particularly those within the government and defense sectors, need to recalibrate their defensive posture.
There is a need for security teams to adopt behavior-driven monitoring as an alternative to traditional signature-based detection models to identify anomalous processes, in-memory payload delivery, and misuse of legitimate cloud services.
In addition to stricter controls on macro execution and file provenance, it is essential to scrutinize document-based attack vectors, particularly those exploiting known vulnerabilities like CVE-2026-21509.
Meanwhile, the increasing use of trusted cloud platforms for command-and-control activities underscores the significance of maintaining visibility into outbound network traffic and implementing zero-trust principles to restrict lateral movement.
A coordinated threat hunt in conjunction with timely intelligence sharing among national and international cybersecurity bodies will be essential in combating such campaigns.
With adversaries continuing to combine legacy techniques with modern infrastructure to refine their toolchains, resilience will depend on defenders' abilities to anticipate and adapt to an environment that is becoming increasingly covert and persistent.
