RUSSIAN threat actor Sednit has resurfaced, returning to a bespoke toolkit after years of using simpler implants, and is now pursuing two new sophisticated malware tools in campaigns targeting Ukrainian cyber assets. At the centre of the toolkit are two implants, with one drawing on techniques from a 2010s malware framework and the other a heavily modified open‑source option for long‑term spying.
Beardshell is described as a new implant that uses a PowerShell interpreter and relies on Icedrive for C2 communications, while Covenant is a heavily modified open‑source .NET post‑exploitation framework supporting over 90 functions. Beardshell is deployed alongside Covenant, acting as a backup when a victim is discovered, and both rely on new loading chains and different cloud providers for C2 to complicate detection.
Sednit has historically been linked to multiple aliases, including Fancy Bear, APT28, Forest Blizzard and Sofacy, and researchers note renewed malware development as the group returns to cyber espionage, with targets currently focusing on Ukrainian military personnel. Beardshell and Covenant demonstrate a push to combine custom implants with legitimate cloud services to evade traditional network monitoring, according to ESET researchers.