Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems.
Ukraine’s national Computer Emergency Response Team has linked a recent cyberattack campaign against the information and communication system (ICS) of a government entity to UAC-0001—also known as APT28 or Fancy Bear—the infamous hacking group believed to be operated by Russia’s GRU military intelligence service.
Also read: Russian GRU Is Hacking IP Cameras and Logistics Firms to Spy on Aid Deliveries from Western Allies to Ukraine
In an investigation conducted between March and May 2024, cybersecurity responders uncovered two previously unseen malware strains—BEARDSHELL and SLIMAGENT—lurking inside government systems. The attackers also deployed a component of the widely known COVENANT command-and-control framework, hidden inside a document titled “Act.doc” and sent via the encrypted messaging app Signal.
While the initial infection vector wasn’t immediately clear, analysts later discovered the malware reached its target using a macro-laced Word document that installed multiple payloads—each designed to fly under the radar, exploit trusted services, and maintain persistence through registry hijacking and scheduled tasks.
How the Intrusion Worked Against Ukrainian Government Systems
The attackers disguised their malware inside a seemingly benign Word file delivered over Signal.
If a user enabled macros, the document executed code that placed two files on the system and set up a COM-hijacking registry entry that hijacked explorer.exe to silently launch a malicious DLL. That DLL then decrypted another file (windows.png) containing shellcode that finally triggered the launch of the COVENANT malware framework—all without dropping anything directly visible to the user.
COVENANT, a .NET-based red team tool popular in the post-exploitation phase of cyberattacks, was used here to download and execute PlaySndSrv.dll and a WAV file (sample-03.wav), which contained encoded instructions to ultimately launch BEARDSHELL—a custom-built backdoor.
Persistence? Also covered. BEARDSHELL maintained access through a separate registry entry tied to a scheduled task under Microsoft’s SystemSoundsService. Classic APT28.
What Do BEARDSHELL and SLIMAGENT Actually Do?
Both malware tools were written in C++ and designed for stealth and data collection:
-
BEARDSHELL connects to the attacker using the API of Icedrive, a legitimate cloud storage provider, allowing the malware to receive encrypted PowerShell scripts and exfiltrate data without triggering traditional security tools. Each infected system gets its own directory, named using a unique hash derived from hardware and system identifiers.
-
SLIMAGENT takes periodic screenshots and encrypts them using AES + RSA, saving them locally in a time-stamped format. It’s the visual spy in the room, quietly recording the screen without alerting the user.
What’s particularly clever—and dangerous—about both tools is their use of legitimate services (Koofr and Icedrive) as command-and-control (C2) infrastructure. This means they avoid sketchy IP addresses and domains, making traditional threat intel blacklists nearly useless.
Why It Matters
This latest campaign isn’t just another cyberattack—it’s part of an escalating pattern of hybrid warfare tactics employed by Russia since the start of its war in Ukraine. APT28, which has been tied to the DNC email leaks in 2016, Olympic Destroyer in 2018, and countless attacks on NATO and EU institutions, is one of the Kremlin’s most active cyber units.
Also read: ‘I’m not a Robot’ reCAPTCHA Trojanized by Russian Hackers to Target Local Ukrainian Government
Their tactics have evolved. Instead of brute-forcing their way into systems, they now leverage phishing documents, encrypted messaging apps like Signal for payload delivery, and trusted APIs for communication. And they’re still targeting the same kind of critical government infrastructure they’ve always sought to undermine.
According to CERT-UA, the malware was identified inside a central government executive body’s information systems—a clear sign that the group is targeting the upper echelons of Ukraine’s state apparatus.
Defense, Detection, and the Cloud API Problem
CERT-UA is urging security teams—particularly within governments and critical infrastructure—to closely monitor traffic to app.koofr.net and api.icedrive.net, as these are being used as C2 endpoints.
The advisory also noted that success of the attack hinged on:
-
Users enabling macros in Office documents
-
Host security tools failing to monitor Signal-based delivery
-
The abuse of trusted services like Icedrive and Koofr as “invisible” control channels
It’s another wake-up call: endpoint defenses can’t rely on static indicators. Malware is now using your everyday apps, cloud platforms, and registry entries to hide in plain sight.
The Bigger Picture
APT28 has always stayed ahead of the curve—and this campaign is no exception. By chaining together macro payloads, registry hijacking, cloud C2, and multi-stage execution, the group isn’t just adapting. It’s evolving.
And while these attacks may seem targeted at Ukraine, the tactics, techniques, and procedures (TTPs) on display should concern every government and enterprise organization in the West.
Because if a Word doc, a PNG, and a WAV file can bypass your defenses, what else is already lurking inside?
