A well known Russian hacking group named APT28, also known as Fancy Bear, has started using Signal, a private messaging app, to deliver malware to Ukrainian government systems. This method is unusual because Signal is considered one of the most secure apps in the world. It’s mostly used by journalists, government officials, and cybersecurity professionals who trust it for safe communication.
Instead of sending phishing emails like traditional hackers, APT28 is now sharing infected files directly through Signal chats. This move is smart and dangerous. People don’t usually expect to receive malware through Signal, so they’re more likely to open the files without checking them carefully. This is exactly what the hackers are taking advantage of.
The attack begins when the victim receives a Word file named Акт.doc, which means “Act.doc” in English. When the file is opened, it asks the user to enable macros. If macros are turned on, a remote access tool called Covenant is installed silently in the background. This tool acts as a backdoor, giving hackers access to the victim’s system.
After Covenant is installed, it downloads two more files: a DLL file called PlaySndSrv.dll and a WAV file, which is normally an audio file. But this isn’t a normal audio file, it contains hidden malicious code. The WAV file activates the final payload, a malware called BeardShell.
BeardShell is a very sneaky and powerful malware. It allows the attackers to run encrypted PowerShell commands on the infected machine. It uses a cloud service called Icedrive to send and receive data, which makes it harder to detect. The malware is designed to blend in with normal activity, so it doesn’t raise suspicion easily.
In earlier versions of this attack, APT28 also used another malware tool called SlimAgent. This tool captures screenshots from the infected computer and sends them to the hackers. The screenshots are encrypted using AES and RSA, making them difficult to analyze even if they are intercepted. SlimAgent uses another file hosting service called Koofr.net to upload the stolen images.
This attack was first noticed by CERT-UA, Ukraine’s Computer Emergency Response Team, in March 2024. However, at that time, the full details were not clear. It wasn’t until May 2025 that the complete technique was discovered. The cybersecurity company ESET found that a Ukrainian government employee’s email account had been hacked, which led to further investigation. That’s when they confirmed that Signal was being used to deliver the malware.
What makes this attack especially concerning is that Signal itself hasn’t been hacked. The platform is still secure. The problem is that it’s being used to send dangerous files, which people tend to trust more than files received through email. This is a clever trick by APT28 to get past traditional defenses.
The attackers are clearly adapting. They know that many organizations now have strong protections against email-based attacks. So, they’re moving to apps that people don’t expect to be risky. This new approach is a big warning sign for those working in government, security, and defense.
Experts say that people should be careful with any file, even if it’s sent through a private app. It’s important to keep macros turned off by default, and always double-check before opening documents, especially if they weren’t expected. Watching network activity for strange traffic to services like Icedrive and Koofr can also help detect these kinds of attacks early.
This incident shows how quickly cyber threats are evolving. APT28 continues to find new ways to sneak into systems and steal data. Even trusted platforms like Signal can be abused if users aren’t careful. Everyone needs to stay alert, no matter how safe a platform may seem.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
