A Russian state-sponsored hacking group has infected Ukrainian government entities with new malware after sending malicious documents over Signal, the Computer Emergency Response Team of Ukraine (CERT-UA) says.
An investigation into a March-April 2024 intrusion at a government organization uncovered two new malware families, dubbed BeardShell and SlimAgent, but the infection vector remained a mystery.
Analysis of a May 2025 attack that compromised a gov.ua email account uncovered the use of BeardShell and a component of the Covenant framework, as well as the initial intrusion avenue, namely Signal.
Specifically, an unnamed target within the government organization received through a Signal chat an Office document containing macro code that led to the execution of the malware.
The attackers, CERT-UA says, had good knowledge of the targeted individual and of the organization.
Written in C++, BeardShell is a backdoor that supports the download, decryption, and execution of PowerShell scripts. It uses the Icedrive service API for management, CERT-UA says.
The backdoor relies on a COM-hijacking method within the Windows registry to persist even after system reboots.
SlimAgent, which is written in C++ as well, can take screenshots on the infected system, encrypt them, and save them locally, likely for future exfiltration. It relies on a Windows API for screenshot capturing and uses AES and RSA to encrypt the images.
Their use suggests that the attack was intended for establishing a long-term foothold on the compromised systems, for intelligence gathering.
The Covenant framework was likely used to download additional payloads that ultimately led to the deployment of the BeardShell backdoor.
CERT-UA blames the intrusions on APT28, also known as Fancy Bear, Forest Blizzard, Pawn Storm, Sednit, and Sofacy Group, which has been connected by security researchers to Russia’s Main Intelligence Directorate of the General Staff (GRU).
APT28 has been systematically targeting Western logistics and technology companies that deliver weapons, aid, and other supplies to Ukraine, cybersecurity agencies in the US and other allied countries said last month.
Related: Russian APT Exploiting Mail Servers Against Government, Defense Organizations
Related: Microsoft, CrowdStrike Lead Effort to Map Threat Actor Names
Related: US Government Urges Cleanup of Routers Infected by Russia’s APT28
