BeardShell and Covenant custom implant deployment
Malware Activity
Summary
Hide ▲
Show ▼
APT28 is deploying customized Covenant and BeardShell implants to sustain espionage against Ukrainian government and military targets, strengthening stealth and persistence. The tooling uses Icedrive and other cloud services for command-and-control, reducing reliance on traditional infrastructure. The latest builds add deterministic implant identifiers tied to host characteristics and execution changes designed to evade behavioral detection. The activity has been ongoing since April 2024, and the attackers have also used malicious DOC files exploiting CVE-2026-21509 in Microsoft Office.
Related Happenings
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
Betterleaks open-source secrets scanner launch as Gitleaks successor
Security Tool/Service
First: 15.03.2026 16:17
Last: 15.03.2026 16:17
Sources 1
About this happening:
The launch of **Betterleaks** adds an open-source secrets scanner that can inspect **directories, files, and git repositories** for valid secrets. It uses **default or customized...
Betterleaks open-source secrets scanner launch as Gitleaks successor
Security Tool/ServiceAbout this happening: The launch of **Betterleaks** adds an open-source secrets scanner that can inspect **directories, files, and git repositories** for valid secrets. It uses **default or customized...
APT28 long-term espionage campaign targeting Ukrainian military personnel
Campaign
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 long-term espionage campaign targeting Ukrainian military personnel
CampaignAbout this happening: A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware Activity
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware ActivityAbout this happening: The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations
Campaign
First: 02.02.2026 14:45
Last: 02.02.2026 14:45
Sources 1
How related:
The two pieces of malware have been used recently to target central executive bodies of Ukraine in attacks that exploited the CVE-2026-21509 vulnerability in Microsoft Office via malicious DOC files.
About this happening:
**Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....
Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations
CampaignHow related: The two pieces of malware have been used recently to target central executive bodies of Ukraine in attacks that exploited the CVE-2026-21509 vulnerability in Microsoft Office via malicious DOC files.
About this happening: **Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....
Latest development: 10.03.2026 12:00
ESET says APT28 has used a custom variant of Covenant together with BeardShell since April 2024 against Ukrainian targets, including Ukrainian military personnel and central executive bodies of Ukraine, with recent attacks exploiting CVE-2026-21509 in Microsoft Office via malicious DOC files. Covenant is the primary implant and BeardShell is the fallback, while Icedrive, Filen, Koofr, and pCloud are used for C2 infrastructure.
Timeline
-
10.03.2026 12:00 2 articles · 2mo ago
BeardShell and Covenant custom implant deployment
Initial DisclosureSince **April 2024**, **APT28** began using **BeardShell** together with **Covenant** to establish persistent access against **Ukrainian** targets. The initial phase centered on cloud-linked command-and-control and fallback implant redundancy.
Show sources
- APT28 hackers deploy customized variant of Covenant open-source tool — www.bleepingcomputer.com — 10.03.2026 12:00
- APT28 hackers deploy customized variant of Covenant open-source tool — www.bleepingcomputer.com — 10.03.2026 12:00