APT28’s BeardShell Campaign: Steganography, Cloud Abuse, and Persistent Espionage

The Russian-linked threat actor APT28, also known as Sofacy, Fancy Bear, Forest Blizzard, and TAG-110, has unveiled a new wave of cyber-espionage operations in 2025. According to Sekoia.io’s Threat Detection & Response (TDR) team, these campaigns target Ukrainian military administration and command structures with a blend of steganography, open-source tools, and cloud-based command-and-control.

Sekoia.io explains, “In this campaign APT28 focuses on Ukrainian military command and administration. The infection chain is sophisticated and highly likely to be reused in the coming years thanks to its robust design.”

The operation begins with weaponized Office documents delivered through private Signal chats. Victims are lured with urgent administrative requests—such as compensation claims or penalties—crafted to pressure military personnel.

The documents contain malicious VBA macros that perform COM hijacking to load a DLL (prnfldr.dll). This DLL, while proxying legitimate printing operations, secretly extracts hidden shellcode from an innocuous-looking PNG image (windows.png).

As the report highlights, “We also observed novel obfuscation methods embedding payloads inside PNG files, a technique never before seen in APT28 activity.”

The extracted shellcode loads the Covenant framework’s GruntHTTPStager, establishing covert communications via the legitimate cloud service Koofr.

The infection chain eventually deploys BeardShell, a C++ backdoor that uses the icedrive cloud storage service as its command-and-control (C2) channel.

Once active, BeardShell fingerprints infected hosts, uploads reconnaissance data, and polls its icedrive directory every four hours for commands. Each operator-issued file triggers the execution of PowerShell commands or scripts, with results uploaded back to icedrive disguised as image files.

The report notes, “BeardShell is developed as a C++ DLL and makes extensive use of encrypted strings… On startup, it executes the SystemInfo command and uploads the output to icedrive.”

Alongside BeardShell, analysts also discovered SlimAgent, a spyware implant capable of keylogging, screenshots, and clipboard theft. Although its direct link to the infection chain remains uncertain, its similarities to APT28’s DLL loading mechanisms suggest a shared developer lineage.

Sekoia.io observed that “SlimAgent loads a public RSA key… proceeds to launch the main loop, handling screenshot capture, keylogging and clipboard copying functions.”

APT28 has increasingly turned to abusing legitimate cloud services to mask malicious activity. In this campaign:

• Koofr was used to stage Covenant tasks and exfiltrate reconnaissance data.
• icedrive served as BeardShell’s command-and-control backbone.
• Later iterations even tested Filen, another cloud provider, for payload delivery.

This blending of malicious tools with trusted infrastructure makes detection significantly harder. “APT28 now wields a hardened toolset that blends open source components and legitimate cloud infrastructure to evade detection and maintain long term access,” the researchers warn.

The lure documents analyzed by Sekoia.io were highly specific:

• Personnel reports
• Medical compensation forms
• Drone delivery receipts

Such targeting suggests a strategic focus on gathering intelligence about Ukrainian attrition rates, logistics chains, and operational readiness.

The report emphasizes, “These documents are highly likely used by Russian military intelligence to gather cyber intelligence on frontline combatants, possibly on specific units in the Ukrainian military theatre.”

APT28’s BeardShell campaign represents a significant evolution in tradecraft. By combining steganography, open-source frameworks like Covenant, and abuse of legitimate cloud services, the group has built a resilient espionage toolset capable of long-term operations.

With its focus on Ukraine’s military infrastructure, this campaign highlights not just technical innovation but also the geopolitical motivations driving Russian cyber operations.

As Sekoia.io concludes, “This operation marks a clear technical step up over previous attacks with the integration of the open source Covenant framework and the use of third party cloud services Koofr and icedrive for covert communications.”

Related Posts:

• Predators for Hire: A New Report Exposes the Thriving Global Spyware Industry
• Cisco found multiple flaws in Blender
• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
• APT28 Cyber Espionage Campaign Targets French Institutions Since 2021