This article presents an analysis by CERT-UA (the Ukrainian national CERT) of activities linked to APT28.
Between March and April 2024, a sophisticated multi-stage cyberoperation targeted Ukrainian government agencies (central executive authorities). The attack is attributed to threat actor UAC-0001, also known internationally as APT28 or Fancy Bear, known for advanced espionage campaigns.
Discovery of BEARDSHELL and SLIMAGENT
CERT-UA identified two C++ malware samples: a backdoor called BEARDSHELL and a spying tool named SLIMAGENT. BEARDSHELL operates as an adaptive backdoor capable of downloading, decrypting, and executing PowerShell scripts on demand.
Surprisingly, the malware uses the Icedrive cloud storage API as its Command & Control (C2) channel. Each infected machine is assigned a unique cloud folder named after a hashed value derived from the host’s name and GUID using the hash64_fnv1a function. SLIMAGENT focuses on stealthy data collection: it captures periodic screenshots, encrypts them (AES + RSA), and stores them under misleading filenames in a temporary directory.
While both malware samples were discovered in 2024, the initial infection vector remained unknown until May 2025, when ESET disclosed the compromise of a government email address (@gov.ua).
Joint investigations by CERT-UA and the cyber defense unit А0334 reconstructed the entire attack chain. The attackers delivered a malicious Office document titled “Акт.doc” via the Signal encrypted messaging app as part of a targeted phishing attempt. This file contained a macro that, once enabled, triggered a multi-stage infection chain culminating in the deployment of BEARDSHELL using the COVENANT framework.
Infection Chain Breakdown
1. Social Engineering (Phishing) A malicious Word document named “Акт.doc” was sent via Signal. Its content suggested the attacker had access to insider knowledge, increasing its credibility.
2. Macro Execution and Initial Setup If the victim enabled macros, malicious VBA code would:
- Drop two files:
ctec.dllin%APPDATA%\Microsoft\Protect\andwindows.pngin%LOCALAPPDATA%. - Create a CLSID registry entry pointing to
ctec.dll(COM hijacking). - Restart
explorer.exeto trigger immediate DLL execution.
3. COVENANT Payload in Memory Upon explorer.exe restart, ctec.dll loads and decrypts shellcode embedded in windows.png, which instantiates a COVENANT agent directly in memory.
4. C2 Channel & Secondary Modules COVENANT communicates with attackers via the Koofr cloud API, blending with legitimate traffic. It downloads additional modules:
PlaySndSrv.dllin a folder namedPackagessample-03.wavin the user’s Music folder
5. Audio Steganography PlaySndSrv.dll extracts hidden malicious code from sample-03.wav via steganography and executes it in memory.
6. Final Payload Deployment (BEARDSHELL) The steganographic code deploys BEARDSHELL, granting remote access and control. Persistence is ensured by adding registry keys and a scheduled task disguised as a legitimate multimedia system service.
Malware Payloads
BEARDSHELL
A C++ backdoor used by UAC-0001 for persistent access. It executes arbitrary PowerShell scripts and communicates via the Icedrive API.
Each infected machine is linked to a deterministically named folder generated by hashing the host name and GUID (FNV-1a 64-bit), allowing precise targeting while disguising the C2 traffic as legitimate Icedrive usage.
COVENANT
An open-source post-exploitation framework. UAC-0001 used it as an in-memory staging tool prior to BEARDSHELL deployment.
COVENANT impersonates a legitimate process and uses the Koofr API to camouflage network traffic. It loads components like PlaySndSrv.dll and sample-03.wav (described above). The use of audio steganography and memory-resident payloads complicates detection and analysis.
Note: SLIMAGENT, also written in C++, was found on the same systems. It captures and encrypts screenshots for stealthy exfiltration but is not directly part of the infection chain.
Persistence Mechanisms
1. COM Hijacking (CLSID Registry Entry) The malicious macro creates a CLSID registry key pointing to ctec.dll, which triggers its automatic loading via explorer.exe on session start.
2. Disguised Scheduled Task BEARDSHELL installs a scheduled task with a name mimicking a legitimate Windows multimedia service. This ensures it restarts regularly or upon system reboot, using a registry key and Windows Task Scheduler.
Indicators of Compromise (IOCs)
- Lure document: “Акт.doc” with embedded macro (sent via Signal)
- Malicious DLL:
ctec.dllin%APPDATA%\Microsoft\Protect\ - Shellcode file:
windows.pngin%LOCALAPPDATA% - Loader DLL:
PlaySndSrv.dllinPackagesfolder - Stego audio file:
sample-03.wavin%USERPROFILE%\Music\ - Registry key: under
HKCU\Software\Classes\CLSID\{...}(points to ctec.dll) - Suspicious scheduled task: disguised as Windows audio service, launches BEARDSHELL
- C2 cloud services:
app.koofr.net,api.icedrive.net - Malware hashes:
- MD5:
5d938b4316421a2caf7e2e0121b36459 - SHA-256:
225b7abe861375141f6cfebde4981f615cb2aa4d913faf85172666fa4b4b320b(See CERT-UA for full IOC list)
- MD5:
Sources
- CERT-UA: https://cert.gov.ua/article/6284080a
