ACCORDING to ESET, the Russia-linked group APT28 has used BEARDSHELL and COVENANT malware to conduct long-term surveillance of Ukrainian military personnel, with the campaign beginning in April 2024. The researchers describe a dual-implant approach that employs two implants, BeardShell and Covenant, each relying on a different cloud provider for resilience, enabling sustained access and data collection since the start of the operation.
BEARDSHELL downloads and runs PowerShell scripts, decrypts with ChaCha20-Poly1305, and sends results via the Icedrive API, while SLIMAGENT captures screenshots, encrypts them with AES and RSA, and stores them locally with timestamped filenames; SLIMAGENT is noted to have evolved from the XAgent keylogger long used by the group.
In May 2025, unauthorized access to an email account in the Ukrainian gov domain gov[.]ua was reported, with CERT-UA and the Cybersecurity Center of Military Unit A0334 involved in the response. The report highlights that BEARDSHELL uses an opaque predicate obfuscation method and that Covenant has been heavily modified to support long-term espionage, with both tools demonstrating continuity with the group’s earlier codebase.