Russian military hackers revive advanced malware to spy on Ukraine, researchers say

Steven

Russian military hackers revive advanced malware to spy on Ukraine, researchers say

Summary

Cybersecurity firm ESET reports that Russian state-linked threat actor APT28 (aka Fancy Bear) has resurrected a sophisticated espionage toolkit and has been active since April 2024. The renewed arsenal centres on two implants — BeardShell and a heavily modified Covenant framework — often used together to maintain long-term access to Ukrainian targets, particularly military personnel. ESET also linked SlimAgent to the group, an updated keylogger capable of keystroke capture, screenshots and clipboard theft. The activity continued through 2025 and into 2026, with campaigns that exploited software vulnerabilities and targeted a range of sectors across Europe and beyond.

Key Points

  • APT28’s advanced development team reappeared in April 2024 with new and updated tools (BeardShell, Covenant, SlimAgent).
  • SlimAgent is a revived Xagent keylogger module — captures keystrokes, screenshots and clipboard data.
  • BeardShell enables execution of PowerShell commands and is used for long-term surveillance of Ukrainian military personnel.
  • Covenant, an open-source C2 framework, has been heavily modified by APT28 and is now a primary espionage tool; BeardShell acts as a fallback.
  • The group shifted toward simpler phishing tactics around 2019, but the return of custom malware may reflect ramped-up operations after Russia’s 2022 invasion or prolonged covert development.
  • Recent campaigns exploited a Microsoft Office flaw to target maritime, transport and diplomatic entities across multiple countries.
  • APT28 activity has had diplomatic fallout in Europe, including Germany summoning the Russian ambassador over alleged attacks and disinformation.

Context and relevance

This story matters to anyone tracking state-sponsored cyber threats, defence planners and organisations with Ukraine-facing operations. It signals a return to tailored, resilient toolsets from a GRU-linked actor historically tied to high-profile intrusions. The shift back to advanced implants — and the adaptation of open-source frameworks like Covenant — highlights evolving tradecraft: blending bespoke malware with repurposed public tooling to maintain persistence and complicate attribution and mitigation.

Why should I read this?

Because it’s not just another headline — this is about a major Russian cyber unit digging out powerful spying tools and using them against real-world military and diplomatic targets. If you care about protecting networks, defending personnel or understanding how nation-state tradecraft is changing, this gives you the short, sharp picture so you don’t miss the bits that matter.

Author style

Punchy — the reporting cuts to the chase: APT28 is back with serious malware. If you’re responsible for threat intel, defence or policy, the full details are worth your time.

Source

Source: https://therecord.media/russia-apt-28-revives-malware-to-spy-on-ukraine