Russian Threat Actor Sednit Resurfaces With Sophisticated Toolkit

Steven

Russian Threat Actor Sednit Resurfaces With Sophisticated Toolkit

Summary

Russia-linked Sednit (aka Fancy Bear/APT28) has returned to using bespoke malware after years of simpler implants, according to ESET’s analysis of a 2024 breach in Ukraine. Researchers uncovered a dual-implant toolkit that includes a new PowerShell-capable implant called BeardShell and a heavily reworked open-source .NET post-exploitation framework dubbed Covenant. A keylogger called SlimAgent — which ties back to Sednit code from the 2010s — was also observed in the intrusion. BeardShell uses the legitimate cloud storage service Icedrive for command-and-control (C2) after the attackers reverse-engineered the client, while Covenant provides full espionage capabilities (data exfiltration, lateral movement, monitoring). The group pairs implants that use different cloud providers for C2 and continues to update custom loaders and obfuscation techniques, complicating detection and takedowns. Victims are primarily Ukrainian military personnel to date, with social-engineering delivery over Signal or WhatsApp Desktop and trojanised Office documents.

Key Points

  • Sednit has returned to custom malware, blending new implants with longstanding code lineage (SlimAgent ties to 2010s Sednit tools).
  • Two primary implants: BeardShell (PowerShell interpreter using Icedrive for C2) and Covenant (a heavily modified open-source .NET post-exploitation framework).
  • Attackers reverse-engineered legitimate cloud clients and rely on multiple cloud providers for C2, making network-based detection and infrastructure takedown harder.
  • Covenant is the preferred day-to-day espionage tool; BeardShell often acts as a redeployer or fallback.
  • Delivery typically via social engineering through Signal Desktop or WhatsApp Desktop, using trojanised Excel/Word documents and even follow-up phone calls.
  • ESET observed rapid updates to loaders and obfuscation, suggesting an active, well-resourced development effort within the group.

Context and Relevance

This development marks a notable shift (or re-emergence) in Sednit’s operational behaviour: after favouring simple phishing-delivered implants since about 2019, the group is now deploying sophisticated, actively maintained tooling again. For security teams, the mix of bespoke implants and legitimate cloud services for C2 increases stealth and resilience. The techniques—reverse engineering cloud clients, parallel C2 channels, custom loaders—fit broader trends in nation-state espionage where threat actors aim to evade detection while maintaining persistence. With current targeting focused on Ukrainian military assets, the geopolitical context (the ongoing war) could drive wider targeting depending on operational objectives.

Why should I read this?

Quick heads-up: if you defend networks or handle threat intel, this is a proper wake-up call. Sednit isn’t just reusing old tricks — it’s back with upgraded, actively maintained tools and clever use of legitimate cloud services to hide C2. That makes detection by usual network signatures a lot less reliable. Read it to know what to look for and to tighten your defences before their next wave.

Source

Source: https://www.darkreading.com/cyber-risk/sednit-resurfaces-with-sophisticated-new-toolkit