THE Russian state‑sponsored hacking group tracked as APT28 has been observed deploying two implants, BEARDSHELL and COVENANT, to facilitate long‑term surveillance of Ukrainian military personnel, according to ESET. The two malware families have been used since April 2024, with BEARDSHELL capable of executing PowerShell commands and using the cloud storage service Icedrive for command‑and‑control.
The threat actor’s toolkit also includes SLIMAGENT, which logs keystrokes, captures screenshots and collects clipboard data; SLIMAGENT was first publicly documented by CERT‑UA in June 2025 and appears linked to the XAgent lineage that APT28 used in the 2010s.
COVENANT, an open‑source .NET post‑exploitation framework, has been heavily modified to support long‑term espionage and to implement a cloud‑based network protocol that abuses Filen for C2 since July 2025, with earlier use of pCloud (2023) and Koofr (2024–2025). ESET notes that the collaboration of BEARDSHELL with SLIMAGENT and their obfuscation techniques strengthens the assessment that BEARDSHELL is part of Sednit’s custom arsenal.