Security Researchers Uncover New APT28 Espionage Tools Targeting Ukraine

Russian APT28 Hackers Deploy New Malware to Spy on Ukrainian Military Personnel

A Russian state-backed cyber espionage group known as APT28 has been using new malware tools to monitor Ukrainian military targets over an extended period, according to recent cybersecurity research.

Security analysts say the hackers are relying on two primary implants called BEARDSHELL and COVENANT to maintain long-term access to compromised systems. These tools have reportedly been active in operations since April 2024, allowing the attackers to quietly gather intelligence from infected devices.

APT28 is widely believed to operate under Unit 26165 of Russia’s GRU military intelligence agency and has been linked to numerous high-profile cyber operations over the past decade.

APT28: A Long-Running Cyber Espionage Group

APT28 is known by many different names within the cybersecurity community, including Fancy Bear, Sofacy, Sednit, Pawn Storm, and Forest Blizzard.

The group has repeatedly targeted governments, defense organizations, and political institutions around the world. Its campaigns are often focused on espionage and intelligence gathering rather than financial gain.

The latest research shows the group expanding its toolkit with new malware designed specifically for long-term surveillance operations.

SLIMAGENT: The Spyware Tool Behind the Operation

One of the central tools used in the campaign is a program known as SLIMAGENT.

This malware is designed to quietly collect sensitive information from compromised computers. Once installed, it can:

  • Record keystrokes typed by the victim
  • Capture screenshots from the system
  • Collect data copied to the clipboard

Security researchers say SLIMAGENT logs the stolen information in HTML files, with different colors used to organize the captured data, such as application names, keystrokes, and window titles.

The malware was first publicly documented by Ukraine’s Computer Emergency Response Team (CERT-UA) in 2025.

Links to Older APT28 Malware

Researchers believe SLIMAGENT evolved from an earlier tool called XAgent, which APT28 used extensively during the 2010s.

Code similarities between the two programs suggest they share a common foundation. Evidence indicates that earlier versions of the malware may have been used as far back as 2018 in attacks against European government organizations.

Some technical features, including the method used for recording keystrokes, appear almost identical between SLIMAGENT and older XAgent samples discovered in previous investigations.

BEARDSHELL Backdoor Enables Remote Control

Another tool discovered in the campaign is BEARDSHELL, a backdoor that allows attackers to execute PowerShell commands on infected systems.

This malware communicates with attackers using Icedrive, a legitimate cloud storage service that acts as the command-and-control infrastructure.

Using trusted cloud platforms for malicious communications helps attackers blend their activity into normal internet traffic, making detection more difficult.

Researchers also found that BEARDSHELL uses a rare code-hiding technique known as an opaque predicate, which has previously appeared in another APT28 tool called XTunnel.

XTunnel was used in the 2016 breach of the U.S. Democratic National Committee, where it helped attackers move data out of compromised networks.

Modified COVENANT Framework Used for Espionage

APT28 has also been deploying a heavily modified version of COVENANT, an open-source post-exploitation framework built on .NET.

Although the original COVENANT project stopped development in 2021, the hackers have continued improving their own version to support espionage activities.

The customized tool now includes a new network communication method that relies on Filen cloud storage for command-and-control operations.

Researchers say earlier versions of the malware used other cloud platforms for the same purpose, including:

  • pCloud in 2023
  • Koofr between 2024 and 2025

These shifting communication channels show how the group adapts its tools to avoid detection.

A Strategy Built for Long-Term Surveillance

The use of multiple implants working together is a strategy APT28 has used before.

In previous campaigns, the group combined different malware tools to maintain persistence inside networks while conducting intelligence gathering over long periods.

By pairing surveillance tools like SLIMAGENT with command-execution backdoors such as BEARDSHELL and frameworks like COVENANT, the attackers can monitor victims while maintaining full remote control over compromised machines.

What This Means for Cybersecurity

The latest findings highlight how nation-state hacking groups continue to refine their cyber espionage capabilities.

By modifying older tools, hiding communication inside legitimate cloud services, and maintaining multiple malware implants within a target network, these groups can operate quietly for extended periods.

For organizations in government, defense, and critical infrastructure sectors, the report serves as a reminder that advanced persistent threats remain one of the most complex cybersecurity challenges today.