APT28 Is Back — And This Time They're Hiding Behind Your Cloud Storage

ESET dropped a deep-dive this week that should be mandatory reading for anyone tracking Russian state-sponsored activity. Sednit — also known as APT28, Fancy Bear, and Forest Blizzard, operated by GRU Unit 26165 — has reactivated its advanced implant development team after what looked like a quiet stretch. The tooling is new. The targets are familiar. And the operational security is better than before.

What Changed

For a few years, Sednit leaned heavily on phishing campaigns and commodity malware. Their custom implant development slowed. Security researchers noticed. Some started treating them as less sophisticated than they'd been in the 2010s.

That was wrong.

In April 2024, ESET found a piece of malware on a Ukrainian government machine they called SlimAgent — a keylogger and clipboard stealer that, on closer inspection, was a direct descendant of Xagent's `RemoteKeyLogger.dll` module from over a decade ago. Same six-step data-collection loop. Same API calls. Same HTML color scheme in the keylog output. The same team, working from the same playbook, quietly active since at least 2018.

That was just the canary. The real story is what came after.

Two New Implants, Two Cloud Providers

ESET documented a dual-implant framework built for long-term persistent access:

BeardShell is a .NET implant that executes PowerShell commands and uses Icedrive — a legitimate cloud storage service — as its command and control channel. No suspicious callbacks to attacker-owned infrastructure. Just what looks like normal cloud storage traffic. ESET noted that when an Icedrive API change disrupted communications, the developers patched BeardShell within *hours* to restore functionality. This isn't a weekend project. This is an active, maintained operation.

Covenant is more interesting. It started life as an open-source .NET post-exploitation framework — released in 2019, abandoned by its developers in 2021. Sednit took it, gutted it, and rebuilt it for espionage. They added deterministic implant naming tied to machine fingerprints, modified the two-stage execution flow to evade behavioral detection, and swapped the original C2 channel for cloud storage: pCloud in 2023, then Koofr in 2024–2025, then Filen starting July 2025. Each swap was clean and deliberate.

The two implants run in parallel on the same target, using different cloud providers. Take down one C2 infrastructure — the other one keeps the connection alive.

The Attribution Marker That Gives It Away

Code lineage in malware is usually ambiguous. But ESET found something specific: an opaque predicate obfuscation technique built around the formula 2(x²+1)+2 = y²+5, which has no integer solution and is therefore a logical dead-end inserted into conditional logic to confuse static analysis. ESET says this exact technique was previously observed exclusively in Sednit's Xtunnel network-pivoting tool from 2013–2016. They've never seen it in any other threat actor's tooling.

That's not coincidence. That's the same development team, or someone who inherited their code directly.

The Target Set and the CVE You Need to Patch

Ukrainian military personnel have been the primary focus. ESET found evidence of machines being monitored for over six months continuously in 2025. In January 2026, Sednit deployed Covenant via spearphishing exploiting CVE-2026-21509, confirmed by CERT-UA.

If you haven't patched CVE-2026-21509 yet, that's the immediate action item.

What Defenders Should Do Right Now

1. Patch CVE-2026-21509 across all affected systems. CERT-UA confirmed active exploitation in January — assume you're behind.

1. Monitor cloud storage outbound traffic for anomalous patterns — particularly file read/write operations to Icedrive, Filen, Koofr, and pCloud that don't match normal business usage. This traffic won't light up traditional C2 detection rules.

1. Hunt for modified Covenant artifacts. Just because a framework's official development stopped doesn't mean adversaries stopped using it. ESET's GitHub has IoCs.

1. Check for SlimAgent indicators on high-value endpoints — especially government, defense sector, military adjacent. The telltale sign is HTML-formatted keylog artifacts on disk.

1. Add the opaque predicate signature to static analysis pipelines. The formula `2(x²+1)+2 = y²+5` as a loop condition is a rare and specific marker. If you see it in a binary, you're looking at Sednit tooling.

The Bigger Picture

The security community has a habit of writing off threat actors when they go quiet. Sednit went quiet — or appeared to — while maintaining a development program that directly traces back to their 2010s-era codebase. The same team has been working this whole time.

Nation-state APTs don't retire. They adapt. Cloud-based C2 is increasingly the norm precisely because it works: it blends into normal traffic, survives infrastructure takedowns, and forces defenders to monitor legitimate services rather than hunting for attacker-owned domains.

The dual-implant, multi-cloud-provider architecture Sednit deployed here is a template other groups will copy if they haven't already.

Full technical details, IoCs, and YARA rules in ESET's research post. Read it.