Sekoia.io’s Threat Detection and Response (TDR) team has uncovered a sophisticated campaign by APT28 that weaponizes Signal Messenger to deploy two previously undocumented malware families—BeardShell and the Covenant framework.
In early 2025, a trusted partner supplied samples that did not match any known infection chain, prompting a joint investigation.
On 21 June 2025, CERT-UA published a report attributing BeardShell and Covenant to APT28, confirming the identity of the earlier samples.
By correlating CERT-UA’s findings with our analysis, we discovered additional malicious Office documents and stealthy techniques that remain unreported elsewhere.
APT28—also known as Sofacy, Fancy Bear, BlueDelta, Forest Blizzard, and TAG-110—operates under Russia’s GRU 85th Main Special Service Centre of Military Unit 26165.
Throughout 2025, this intrusion set has featured prominently in advisories from CISA and 21 international partners, as well as analyses by France’s ANSSI.
In January 2025, Sekoia.io exposed the Double-Tap campaign targeting diplomatic channels in Central Asia, a Russia-linked operation potentially tied to APT28.
Although attribution between UAC-0063 and APT28 remains tentative, activity has continued in Tajikistan.
Infection Chain Delivery
The campaign begins with a spearphishing lure: a malicious Office document delivered through a private Signal conversation.
In the exchange, the sender impersonates a superior and invokes urgent administrative actions or legal threats to entice the recipient to open the attachment.
The document embeds multiple VBA macros that perform a user-level COM hijack to load a malicious DLL.
Upon execution, these macros check system prerequisites, drop two files—prnfldr.dll and windows.png—and register the DLL as a COM server via registry manipulation and regsvr32.exe.
When Explorer.exe loads the COM server, the DLL proxies legitimate Printer functions while spawning a new thread to load shellcode from the PNG file.
The valid PNG carries hidden shellcode in its least significant bits. Once extracted and decrypted, this shellcode initializes the .NET Common Language Runtime and loads GruntHTTPStager, the Covenant framework’s staging component.
Covenant establishes an API-driven C2 channel over Koofr cloud storage, awaiting further payloads.
CERT-UA reports that this first stage downloads two files—sample-03.wav and PlaySndSrv.dll—which decrypt and launch BeardShell.
While these specific samples eluded our environment, BeardShell has been analyzed separately.
It masquerades all communications through the icedrive cloud-storage service, executing encrypted PowerShell commands at four-hour intervals. Its C++ DLL uses a single-byte XOR cipher for string obfuscation and AES-CBC encryption for command payloads.
Weaponized Documents and Techniques
Our investigation recovered eleven malicious Office documents themed around Ukrainian military procedures—evaluation forms, compensation requests, drone logistics receipts—designed to appear authentic to brigade-level administrative staff.
Next, it retrieves a Covenant-provided identifier (the GUID of the compromised host), splits the string, and takes only the final segment to name a new parent directory.
The prevalence of injury-related forms and equipment transfer records suggests targeting of military personnel in active conflict zones, likely to gather operational intelligence on frontline units.
The VBA macros adapt their API declarations based on Office versions and employ stealth tactics, including switching to Print Layout, deobfuscating with byte-pair replacements, verifying .NET Framework presence, and hiding dropped files.
This layered approach ensures both persistence and additional checks against sandbox detection.
APT28 leverages open-source Covenant and legitimate cloud services—Koofr and icedrive—for covert C2 communications, demonstrating a marked evolution in their TTPs.
The integration of cloud-based C2 bridges, combined with novel steganographic payload delivery and COM hijacking, underlines the group’s technical sophistication.
In August 2025, this infection chain resurfaced via a weaponized Excel document hosted on Filen.io, confirming its adaptability.
Uncertainties remain regarding the deployment mechanism of BeardShell and the relationship between the SlimAgent keylogger and the main chain.
Nonetheless, APT28’s hardened toolset, blending bespoke malware with open-source frameworks, positions them for continued long-term access and evasion. Sekoia.io’s TDR team will maintain vigilant monitoring, refine detections, and prepare for the next evolution of this campaign.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
