Find notable cyber news and cases, enriched with sources, timelines, and signals.

BeardShell and Covenant custom implant deployment

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

APT28 is deploying customized Covenant and BeardShell implants to sustain espionage against Ukrainian government and military targets, strengthening stealth and persistence. The tooling uses Icedrive and other cloud services for command-and-control, reducing reliance on traditional infrastructure. The latest builds add deterministic implant identifiers tied to host characteristics and execution changes designed to evade behavioral detection. The activity has been ongoing since April 2024, and the attackers have also used malicious DOC files exploiting CVE-2026-21509 in Microsoft Office.

Related Happenings

Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure

Campaign
H score56 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
H score39 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Betterleaks open-source secrets scanner launch as Gitleaks successor

Security Tool/Service
H score11 First: 15.03.2026 16:17 Last: 15.03.2026 16:17 Sources 1

About this happening: The launch of **Betterleaks** adds an open-source secrets scanner that can inspect **directories, files, and git repositories** for valid secrets. It uses **default or customized...

APT28 long-term espionage campaign targeting Ukrainian military personnel

Campaign
H score32 First: 10.03.2026 12:55 Last: 10.03.2026 12:55 Sources 1

About this happening: A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...

APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel

Malware Activity
H score23 First: 10.03.2026 12:55 Last: 10.03.2026 12:55 Sources 1

About this happening: The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...

Timeline

  1. 10.03.2026 12:00 2 articles · 4mo ago

    BeardShell and Covenant custom implant deployment

    Initial Disclosure

    Since **April 2024**, **APT28** began using **BeardShell** together with **Covenant** to establish persistent access against **Ukrainian** targets. The initial phase centered on cloud-linked command-and-control and fallback implant redundancy.

    Show sources