APT28, the long-running actor tracked as Fancy Bear, Sofacy and Sednit, used a compact but technically sophisticated campaign that researchers documented as Phantom Net Voxel. The campaign is an extension of CERT-UA’s report on the BeardShell and Covenant framework but Sekioa researchers uncovered additional weaponized Office documents and subtle techniques never before documented publicly.
The operation combined social engineering, steganographic payloads and legitimate cloud services to deliver modular backdoors and maintain stealthy persistence. The result was a lightweight, resilient infection chain that evaded standard detection playbooks.
Also read: Ukrainian Government Systems Targeted With Backdoors Hidden in Cloud APIs and Docs
The Attack Cycle
The campaign began with highly targeted Office documents sent over private messaging apps such as Signal and through email. Lures carried plausible titles — personnel reports, medical compensation forms, logistics receipts — crafted to mirror Ukrainian military and administrative workflows. When macros executed, the document dropped two artifacts: a DLL (for persistence) and a PNG image that contained encrypted shellcode. A COM-hijack registry key forced the DLL to load under explorer.exe on process restart.
Recipients were more likely to open these documents because the files matched the kinds of forms they regularly handled, which reduced suspicion.
Steganography + Shellcode
Sekoia’s analysis showed that the PNG files hid AES-CBC encrypted blobs inside pixel data. The malware extracted least-significant bits, verified integrity with a SHA-1 tag, decrypted, and then launched embedded shellcode that initialized a .NET runtime and executed a Covenant Grunt HTTP stager. By embedding executable content in an otherwise ordinary image, the attackers added a detection hurdle, since many scanners missed the malicious payload.
Modular implants and cloud-based C2
After the initial staging, the campaign shifted to a modular second phase. Researchers uncovered a C++ backdoor, that was called BeardShell by CERT-UA researchers, which polled cloud storage providers, such as Icedrive, for encrypted commands. It executed tasks, uploaded results, and deleted files to cover its tracks. The actor used GUID-based directory names derived from host fingerprints to organize victim data.
A companion implant, SlimAgent, captured screenshots, logged keystrokes and collected sensitive data. It encrypted the results with AES-256, secured session keys with RSA, and stored them locally before exfiltration.
By relying on legitimate cloud APIs, the attackers blended malicious traffic with normal service requests and forced defenders into tough choices between blocking productivity tools and allowing covert command-and-control.
Evasion and Anti-Analysis Tricks
Phantom Net Voxel featured multiple anti-analysis measures. The malware checked runtime environments, system resources and debugging tools, exiting immediately if conditions suggested a sandbox. Phishing pages incorporated CAPTCHAs and devtools blockers to filter automated crawlers and researchers. Strings and configuration values were decrypted only at runtime, shrinking the static footprint for detection.
Three design decisions stood out:
-
Steganographic staging — hiding shellcode in PNG files increased stealth and exploited trust in media assets.
-
Cloud C2 channels — embedding malicious operations in Icedrive, Koofr and Filen traffic complicated takedowns, as providers also served legitimate customers.
-
COM hijack persistence — loading DLLs through
explorer.exebypassed many AV hooks and maintained execution in a trusted context.
Detection Pivots for Defenders
Sekoia released IOCs (document and DLL hashes) and YARA rules for the stego loader and BeardShell. Analysts were advised to scan PNG images for embedded encrypted blobs, monitor unusual cloud API activity with GUID-like directory structures, audit registry CLSID entries pointing to nonstandard DLLs, and track explorer.exe spawning unexpected processes.
Detection of periodic polling intervals or anomalous use of consumer cloud storage APIs also provided valuable signals.
Operation Phantom Net Voxel did not reinvent the APT28 playbook but instead recombined proven techniques into a stealthier, modular chain. By embedding payloads in images and shifting command channels to commercial cloud providers, the group raised the cost of automated detection and forced defenders to widen their telemetry.
