A technical analysis by ESET documented that the Russian state-sponsored group APT28 has used implants named BEARDSHELL and COVENANT to conduct long-term surveillance of Ukrainian military personnel since April 2024.
KEY FACTS
- Incident BEARDSHELL and COVENANT used for long-term access against Ukrainian military targets
- Actor APT28, a Russian state-sponsored group
- Timeline implants active since April 2024, Covenant adapted to Filen for C2 in July 2025
- Techniques BEARDSHELL uses Icedrive for C2 and executes PowerShell, SLIMAGENT captures keystrokes and screenshots
SLIMAGENT shows code similarities to older XAgent samples and produces HTML keylogger logs with the same color scheme used in prior implants. Related artifacts date to attacks on government entities as early as 2018 with a matching sample from 2014.
BEARDSHELL functions as a backdoor that can execute PowerShell commands on compromised hosts. It communicates using the cloud storage service Icedrive for command and control.
COVENANT is an open-source .NET post-exploitation framework that has been heavily modified to support long-term espionage. The implant adopted a cloud-based protocol abusing the Filen service for C2 in July 2025 after earlier use of pCloud and Koofr.
A rare opaque predicate obfuscation appears in these tools. The same technique was used in XTunnel, a network traversal tool associated with earlier APT28 operations, which supports a link between the new implants and the actor’s existing arsenal.
WHY IT MATTERS
The continued modification of open-source frameworks and abuse of cloud storage for command and control complicates detection and enables prolonged access to targeted systems. That sustained access increases the risk to operational security for affected personnel.