APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware Activity
Summary
Hide ▲
Show ▼
The APT28 operation has expanded into BEARDSHELL and COVENANT implants used for long-term surveillance of Ukrainian military personnel, indicating an active espionage effort rather than isolated malware deployment. The activity has been observed since April 2024 and includes cloud-backed C2 routes that help sustain access on compromised hosts. The tooling mix matters because it supports persistent monitoring, command execution, and stealthy collection against a sensitive military target set.
Related Happenings
APT28 long-term espionage campaign targeting Ukrainian military personnel
Campaign
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
How related:
The Russian state-sponsored hacking group tracked as APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long‑term surveillance of Ukrainian military personnel.
About this happening:
A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 long-term espionage campaign targeting Ukrainian military personnel
CampaignHow related: The Russian state-sponsored hacking group tracked as APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long‑term surveillance of Ukrainian military personnel.
About this happening: A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
BeardShell and Covenant custom implant deployment
Malware Activity
First: 10.03.2026 12:00
Last: 10.03.2026 12:00
Sources 1
About this happening:
**APT28** is deploying **customized Covenant** and **BeardShell** implants to sustain espionage against **Ukrainian government and military targets**, strengthening stealth and pe...
BeardShell and Covenant custom implant deployment
Malware ActivityAbout this happening: **APT28** is deploying **customized Covenant** and **BeardShell** implants to sustain espionage against **Ukrainian government and military targets**, strengthening stealth and pe...
APT28 Ukrainian phishing campaign deploying BadPaw and MeowMeow
Campaign
First: 05.03.2026 12:10
Last: 05.03.2026 12:10
Sources 1
About this happening:
The **APT28**-linked campaign is actively targeting **Ukrainian entities** with **phishing emails** that lead to staged malware delivery and **MeowMeow** backdoor deployment, incr...
APT28 Ukrainian phishing campaign deploying BadPaw and MeowMeow
CampaignAbout this happening: The **APT28**-linked campaign is actively targeting **Ukrainian entities** with **phishing emails** that lead to staged malware delivery and **MeowMeow** backdoor deployment, incr...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware Activity
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
**SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware ActivityAbout this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
CampaignAbout this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
Timeline
-
10.03.2026 12:55 2 articles · 2mo ago
APT28 BEARDSHELL and COVENANT surveillance disclosure
Initial DisclosureAPT28 used BEARDSHELL and COVENANT to conduct long-term surveillance of Ukrainian military personnel, with ESET reporting that the activity has been in use since April 2024. The assessment also links BEARDSHELL to PowerShell command execution and Icedrive C2, and describes COVENANT as a heavily modified .NET post-exploitation framework that has used Filen for cloud-based C2 since July 2025.
Show sources
- APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military — thehackernews.com — 10.03.2026 12:55
- APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military — thehackernews.com — 10.03.2026 12:55