Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportThe Russian state-sponsored threat group APT28, also known as Sofacy, Fancy Bear, Sednit, and Forest Blizzard, has launched a sophisticated long-term espionage campaign targeting Ukrainian government entities by exploiting the Microsoft Office zero-day vulnerability CVE-2026-21509. This APT28 espionage campaign specifically targets Ukrainian government and military organizations, particularly central executive bodies, using weaponized Office documents delivered through spear-phishing emails and encrypted messaging platforms like Signal. The attack leverages a heavily modified version of the open-source Covenant post-exploitation framework alongside custom surveillance implants including BeardShell and SlimAgent to establish persistent covert access and steal sensitive data.
Once the malicious Office documents are opened by victims, they deploy a memory-resident Covenant backdoor that downloads additional malicious components including the BeardShell custom implant and SlimAgent keylogger derived from APT28’s older XAgent malware framework. These surveillance tools enable threat actors to capture keystrokes, screenshots, and clipboard data, generating HTML-formatted espionage logs with color-coded entries to help operators efficiently analyze stolen information. By routing command-and-control traffic through legitimate cloud storage services including pCloud, Koofr, Filen, and Icedrive, the APT28 attackers conceal their malicious communications within normal cloud traffic patterns, enabling long-term surveillance of compromised systems. Analysis of APT28-controlled cloud storage accounts revealed that some Ukrainian government systems had been continuously monitored for more than six months, demonstrating the threat group’s capability for sustained espionage operations while evading traditional detection mechanisms.
The Russian state-sponsored threat group APT28, also known as Sednit, has been conducting long-term espionage operations using a customized version of the open-source Covenant post-exploitation framework. Recent security investigations revealed that these sophisticated operations specifically targeted Ukrainian government entities, particularly central executive bodies responsible for national security and defense functions, by exploiting the zero-day vulnerability CVE-2026-21509 in Microsoft Office. The espionage campaign relied heavily on spear-phishing emails distributing specially crafted Office documents designed to exploit this security flaw and establish initial access to target systems.
To initiate the attack and compromise target systems, APT28 operators sent malicious Office files to carefully selected individuals within Ukrainian government organizations and relied heavily on social engineering tactics to persuade recipients to open the weaponized documents. In one documented instance analyzed by CERT-UA, the Ukrainian Computer Emergency Response Team, the attackers used the encrypted messaging platform Signal to deliver a malicious document named Акт.doc, demonstrating their willingness to leverage multiple communication channels beyond traditional email. The malicious file contained embedded macros that automatically triggered the multi-stage infection chain once opened by the victim, allowing the attackers to establish an initial foothold on the compromised system without requiring additional user interaction.
After successful execution of the malicious Office document, the embedded macros deployed a memory-resident Covenant backdoor that downloaded additional malicious components to the compromised system, including a DLL file named PlaySndSrv.dll and a shellcode-embedded WAV audio file designed to evade detection. These components were used to install BeardShell, a custom C++ implant developed specifically for this espionage campaign. Persistence for both the loader component and the main payload was achieved through COM hijacking in the Windows registry, ensuring the malware would survive system reboots and maintain long-term access.
Alongside these primary tools, the attackers deployed SlimAgent, a sophisticated surveillance implant derived from APT28’s older XAgent malware framework. SlimAgent enabled the threat operators to capture keystrokes, screenshots, and clipboard data from compromised systems, generating comprehensive espionage logs in HTML format with color-coded entries to help operators quickly identify and analyze stolen information of intelligence value. This design facilitated efficient triage of captured data and enabled operators to focus on the most valuable intelligence collected from Ukrainian government targets.
Security researchers discovered that the APT28 threat actors heavily modified the open-source Covenant framework to better support long-term espionage operations and evade behavioral detection systems. Instead of generating random implant names that could appear suspicious, the developers implemented a deterministic naming method derived from unique system characteristics, allowing them to consistently track infected machines across reboots and network changes even after system restarts. The execution process was also redesigned to evade behavioral detection mechanisms employed by modern endpoint security products.
Additionally, the threat group integrated cloud-based communication capabilities using the C2Bridge project, enabling the malware to communicate with legitimate cloud storage platforms such as pCloud, Koofr, Filen, and Icedrive. This infrastructure design choice allowed APT28 to blend malicious command-and-control traffic with legitimate cloud service communications, significantly complicating network-based detection efforts.
The APT28 attackers employed a sophisticated dual-implant architecture designed to maintain operational resilience and ensure persistent access even if primary communication channels were disrupted. The modified Covenant framework acted as the primary access channel for interactive operations, while BeardShell served as a backup communication mechanism in case the main command-and-control infrastructure was detected and blocked by defenders. This redundant setup allowed the threat operators to maintain long-term visibility into compromised Ukrainian government networks with minimal risk of losing access.
Analysis of APT28-controlled cloud storage accounts revealed that some compromised systems had been continuously monitored for more than six months, demonstrating the threat group’s capability for sustained, long-duration espionage operations. By routing command-and-control traffic through legitimate cloud services, the attackers ensured that malicious communications blended seamlessly with normal cloud activity patterns generated by legitimate applications, making network-based detection significantly more difficult. Meanwhile, sensitive data collected by SlimAgent was encrypted using AES and RSA cryptographic algorithms before being stored locally on compromised systems and later exfiltrated through separate command-and-control channels to prevent detection during data transfer.
Immediately apply the emergency security update released by Microsoft to address CVE-2026-21509 across all affected versions, including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Organizations running Office 2021 and later versions should restart Office applications to activate service-side protections that provide additional defense-in-depth against exploitation attempts.
Monitor and restrict network communications to cloud storage domains abused by APT28 for command-and-control communications, specifically app.koofr.net, api.icedrive.net, and filen.io endpoints. Implement allowlisting policies that only permit authorized and business-approved cloud storage services within the organization’s network perimeter, preventing unauthorized cloud services from being used for data exfiltration or command-and-control.
Configure email gateways to quarantine or block Office documents containing embedded OLE objects from external and untrusted sources. Pay particular attention to legacy .doc files with macro capabilities, as APT28 distributed malicious documents via both email and encrypted messaging platforms like Signal, requiring defense across multiple communication channels.
Ensure Protected View is enabled by default for all documents originating from external sources, and enforce group policies that disable macros in documents received from the internet. Require explicit user or administrator approval for macro execution in any document from untrusted sources, significantly reducing the attack surface for macro-based exploitation.
Conduct proactive threat hunting to search for HTML-formatted keylogger output files on endpoints, particularly those with color-coded entries in blue, red, and green that match SlimAgent’s logging format. Additionally, search for known SlimAgent file indicators such as eapphost.dll and tcpiphlpsvc.dll loaded as DLLs via suspicious processes, which may indicate active compromise.
Isolate military and government-sensitive workstations from general-purpose networks to limit lateral movement opportunities. Given APT28’s demonstrated capability for six-month-plus persistent access to compromised systems, network segmentation limits the blast radius of any single compromise and restricts lateral movement to high-value targets.
The threat advisory includes indicators of compromise associated with the APT28 campaign, including SHA1 file hashes and specific filenames used by the SlimAgent malware. Organizations should integrate these indicators into their security monitoring systems, endpoint detection platforms, and threat intelligence feeds to identify potential APT28 activity within their environments.
The APT28 espionage campaign employs comprehensive tactics and techniques mapped to the MITRE ATT&CK framework, including resource development through acquiring web services infrastructure and developing custom malware capabilities, initial access via spearphishing attachments, execution through PowerShell command and scripting interpreters and shared modules, persistence via Component Object Model hijacking, defense evasion through exploitation for defense evasion and obfuscated files and information alongside deobfuscation techniques, execution guardrails, and hiding artifacts, collection through keylogging input capture, screen capture, clipboard data theft, and data from local systems, discovery of system information, command and control using web services with bidirectional communication over encrypted channels with asymmetric cryptography and data obfuscation over web protocols, and exfiltration over web services to cloud storage platforms.
The threat advisory references authoritative security research from ESET on Sednit operations and HivePro threat intelligence analysis on CVE-2026-21509 active exploitation. These references provide additional technical depth and context for security teams investigating APT28 activity or implementing defensive measures against this Russian state-sponsored threat group.
Get through updates and upcoming events, and more directly in your inbox