New APT28 Attack Via Signal Messenger Delivers BeardShell and Covenant Malware

Late in the summer of 2025, cybersecurity researchers uncovered a sophisticated spearphishing campaign targeting Ukrainian military personnel via the Signal messaging platform.

The operation, dubbed “Phantom Net Voxel,” begins with a malicious Office document sent through private Signal chats, masquerading as urgent administrative forms or compensation requests.

Upon opening, the document’s embedded macros drop a stealthy DLL and a PNG file onto the victim’s machine, initiating a multi-stage infection chain that ultimately installs both Covenant’s HTTP Grunt Stager and the custom C++ backdoor BeardShell.

Sekoia analysts identified the lure documents’ unassuming appearance, formatted in authentic Ukrainian military nomenclature, as a key element of the campaign’s success.

The initial Document_Open macro verifies Windows versions and then leverages the CreateProcessW API to register a malicious COM server under CLSID {2227A280-3AEA-1069-A2DE-08002B30309D}, ensuring the DLL loads on each user logon.

If the registry key does not exist, the macro drops prnfldr.dll to the ProgramData directory and windows.png to AppData, hiding both files before invoking regsvr32.exe /n /i to execute the DLL’s installation routine.

Once loaded into explorer.exe, the second-stage DLL extracts a shellcode from the least significant bits of each PNG pixel.

The embedded shellcode initializes the .NET Common Language Runtime (CLR) and injects a Covenant HTTP Grunt module, which contacts the Koofr cloud API to create directories named “Keeping” and “Tansfering.” Hybrid encryption secures communications as file uploads and downloads provide a covert command-and-control channel.

Sekoia researchers noted that each compromised host is represented by a unique GUID-derived folder, indicating potentially dozens of infected systems.

In parallel, BeardShell—an unmanaged C++ backdoor—emerges as the subsequent payload, using the icedrive service for C2 communications. Its entry point, ServiceMain, performs anti-analysis checks and then generates a hardware-profile-based identifier for directory naming on the cloud storage.

Once active, BeardShell instantiates PowerShell sessions via embedded CLR initialization routines, executing JSON-formatted commands such as:

// Create PowerShell instance (cmd_id=1)
{"task_id":0,"cmd_id":1,"data":{}}
// Execute SystemInfo (cmd_id=2)
{"task_id":0,"cmd_id":2,"data":{"id":0,"cmd":"SystemInfo"}}

These commands and their results are encrypted with ChaCha20-Poly1305, masqueraded as benign image files (e.g., .tiff headers), and uploaded back to the icedrive root directory. The alternating use of legitimate cloud services Koofr and icedrive underscores the adversary’s emphasis on detection evasion and operational flexibility.

Infection Mechanism and Persistence

At the heart of this attack is a two-pronged persistence approach. The VBA macro’s registry modifications guarantee code execution at startup, while the second-stage DLL’s COM hijack ensures seamless proxying of legitimate printing functions, masking its presence.

By splitting payload delivery between Office macros, COM hijacking, steganographic shellcode extraction, and legitimate cloud APIs, APT28 achieves a robust, multi-layered foothold.

Detection engineers are advised to monitor unexpected COM registrations under high-privilege CLSIDs and inspect anomalous PNG or TIFF files in AppData directories for hidden payloads.

With this campaign’s reuse of open-source frameworks and novel steganography, defenders must adapt by correlating code-signing anomalies, registry tampering, and cloud API traffic to intercept future invasions.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free