APT28 Is Back With a New Toolkit — and the Same Old Code

CybrPulse

CybrPulse

3 min read
APT28 Is Back With a New Toolkit — and the Same Old Code

Sednit's advanced implant team went quiet in 2019. ESET's latest research shows they never left — they just got smarter about hiding.

If you've been tracking APT28 (Sednit, Fancy Bear, Forest Blizzard — pick your alias), you probably noticed their custom malware all but vanished from the wild after 2019. The group was still active, still phishing, but the sophisticated bespoke implants that defined their 2010s campaigns had gone dark. No new Xagent. No Xtunnel. Just commodity script-based tools and opportunistic phishing.

That's over.

ESET published research this week documenting the full return of Sednit's advanced development shop, built around two new paired implants: BeardShell and a heavily modified version of the open-source Covenant framework. The campaign traces back to April 2024, and CybrPulse has been tracking coverage of it as it surfaced — the research scores an 8.8 on our priority index, the highest of any story this week.

What They Built

SlimAgent kicked things off. ESET found it on a Ukrainian governmental machine in April 2024 — a keylogger that also grabs screenshots and clipboard data. Nothing exotic on the surface, until researchers pulled the code apart and found Xagent's DNA all over it. SlimAgent is a direct descendant of `RemoteKeyLogger.dll` from Sednit's 2010s flagship backdoor, with lineage traceable to at least 2018.

Then came BeardShell.

It's a .NET implant that executes PowerShell commands and uses Icedrive — a legitimate cloud storage service — as its C2 channel. Malicious traffic blends with normal cloud storage activity. If your endpoint detection is looking for suspicious outbound connections, this one is designed to walk right past it.

The attribution marker ESET found is elegant in an irritating way: BeardShell contains a specific opaque predicate obfuscation formula — `2(x²+1)+2=y²+5` — that was previously documented only in Sednit's old Xtunnel network-pivoting tool from 2013–2016. Same developers. Twelve years apart. Same mathematical fingerprint. That's not a coincidence; it's a development team with institutional memory.

Covenant rounds out the modern toolkit. Sednit took the open-source .NET post-exploitation framework (released 2019, abandoned by its original author 2021), gutted it, and rebuilt it for long-term espionage. Their version adds deterministic machine-based implant naming, altered execution flow designed to evade behavioral detection, and cloud-based C2 via pCloud.

Why the Dual-Implant Design Matters

BeardShell and Covenant are deployed together deliberately. Each uses a different cloud provider. If one gets burned — if Icedrive blocks the traffic, or a defender identifies the C2 pattern — operations continue on the other channel. ESET found evidence of machines being monitored for over six months in 2025.

This isn't a smash-and-grab. It's persistent, low-noise, long-horizon espionage. Targets are Ukrainian military personnel. That context matters for defenders outside Ukraine too: when GRU Unit 26165 refines a technique against a hardened target, that same technique eventually shows up elsewhere.

January 2026: Active Exploitation

CERT-UA flagged it in January 2026 — Sednit was deploying Covenant via spearphishing campaigns exploiting CVE-2026-21509. That's not historical. That's 10 weeks ago.

If you're running the affected software (CERT-UA's advisory has specifics), the patch window matters. The combination of a recent CVE and a mature, cloud-abusing post-exploitation framework means initial access to deployment of persistent surveillance can happen fast.

What Actually Changed Since 2019

The gap wasn't retirement. ESET's analysis suggests the same core development team remained active but operated more covertly — fewer deployments, tighter operational security, less exposure. The custom tooling was still being built. It just wasn't getting caught.

Now they're deploying it. The reactivation of Sednit's high-end custom arsenal isn't a new capability; it's an existing capability deciding it's worth the exposure. That's worth paying attention to.

Detection and Defense Notes

Cloud-based C2 is the theme here. BeardShell talks to Icedrive. Covenant's modified version uses pCloud. The same principle — abusing legitimate cloud services to blend C2 traffic — has been showing up across multiple threat actors for years, but Sednit's implementation is specifically engineered to survive infrastructure takedowns.

Defenders should:

  • Review egress filtering for cloud storage services, particularly for endpoints that have no legitimate business use for Icedrive, pCloud, Filen, or Koofr (all named in ESET's research as C2 channels across different campaign phases)
  • Look for anomalous PowerShell execution chains that originate from unusual parent processes — BeardShell's execution model leaves detectable traces if you're watching the right events
  • Treat CVE-2026-21509 as actively exploited; CERT-UA's January advisory wasn't theoretical

The full ESET technical breakdown of BeardShell and Covenant's internals is published at welivesecurity.com. If you're working threat intel or incident response in any sector that Fancy Bear has historically cared about — defense, government, NATO-adjacent industries — it's worth a read.

ESET's research was published March 26, 2026.

*CybrPulse ingests thousands of security articles daily. This post is based on ESET Research findings published at welivesecurity.com and tracked in CybrPulse's security news pipeline.*

Read more