APT28 is once again on the radar. This time, the Russia-linked group is weaponizing Signal chat messages to deploy sophisticated malware in Ukraine. The newly identified BEARDSHELL and COVENANT toolkits demonstrate advanced techniques for evading detection and maintaining persistence. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning following the identification of this cyber threat targeting government infrastructure. Here’s what you need to know about this evolving campaign and the serious risks it poses to public sector organizations.
BEARDSHELL Malware: A Backdoor in Disguise
According to CERT-UA, BEARDSHELL is a custom backdoor written in C++. Its core functionalities include:
-
Downloading and executing PowerShell scripts
-
Uploading execution results via the Icedrive API
This malware was discovered during incident response efforts between March and April 2024. It was accompanied by another tool named SLIMAGENT, which allows attackers to take screenshots of infected systems. Initial infection details remained unclear until ESET later provided threat intelligence confirming unauthorized access to a Ukrainian government email account ending in “gov.ua”.
COVENANT and the Signal Attack Chain
Further investigation revealed that APT28 uses Signal messages to deliver a malicious Word document named “Акт.doc”. This file contains macros that drop two payloads:
-
A dynamic link library (DLL) named “ctec.dll”
-
A PNG image named “windows.png”
The macro modifies Windows Registry settings so the DLL executes when the system’s File Explorer is opened. This DLL, in turn, loads shellcode from the PNG image and launches the COVENANT framework directly in memory.
Once COVENANT is active, it downloads additional payloads that activate the BEARDSHELL backdoor, granting full remote access to the compromised device.
Exploiting Webmail Software and XSS Vulnerabilities
APT28 is also targeting outdated Ukrainian webmail systems such as Roundcube, Horde, MDaemon, and Zimbra. Using phishing emails containing real news article excerpts, the attackers deploy exploits for three known XSS vulnerabilities:
-
CVE-2020-35730
-
CVE-2021-44026
-
CVE-2020-12641
CERT-UA found these exploits in three JavaScript files embedded in the emails:
-
e.js: Redirects incoming emails and exfiltrates contacts and cookies
-
q.js: Extracts Roundcube database information via SQL injection
-
c.js: Executes arbitrary commands on mail servers
These emails reached over 40 Ukrainian organizations, indicating a widespread and coordinated campaign.
Recommendations for Detection and Mitigation
To reduce the risk of infection or data exfiltration, CERT-UA urges all organizations to monitor for suspicious traffic involving the following domains:
-
app.koofr[.]net -
api.icedrive[.]net
Security teams should also apply updates to webmail platforms immediately, remove vulnerable plugins, and disable macros where possible.
Why It Matters
The use of Signal, a secure messaging app typically associated with privacy, marks a disturbing shift in APT tradecraft. Combined with macro-enabled payloads, living-off-the-land techniques, and targeted phishing, this campaign shows the agility of modern nation-state actors.
At ZENDATA, we help organizations strengthen their defenses against these evolving threats. From threat intelligence to phishing simulation and endpoint protection, our cybersecurity services are built to match the complexity of today’s attack landscape.
Final Thoughts
APT28’s latest operation is a masterclass in layered exploitation and stealth. It underscores the need for comprehensive visibility across communication tools, email platforms, and endpoint activity. If your organization handles sensitive communications or operates in geopolitically sensitive regions, now is the time to revisit your threat model.
Let’s not wait for a Signal ping to realize the breach has already happened. Read the full article from The Hackers News here.
