APT28 Is Back With New Implants — And They're Hiding in Your Cloud Provider

Fancy Bear went quiet for about five years. The Russian GRU hacking unit — known as Sednit, APT28, Forest Blizzard, Sofacy — was still running phishing campaigns, but the sophisticated custom malware that made them famous had largely disappeared from researcher telemetry after 2019. ESET researchers now know why: the group's advanced implant team was rebuilding.

ESET published findings this week documenting Sednit's return with a modern toolkit built around two paired implants, BeardShell and Covenant. The targets in the initial 2024 case: Ukrainian military personnel.

Where They've Been

Between 2019 and 2024, Sednit's high-end custom malware was rarely spotted. The group kept busy with phishing operations using simpler script-based tools, but the kind of deep-access, long-dwell espionage implants they deployed against the German Bundestag in 2015 or the DNC in 2016 — those weren't showing up.

ESET's hypothesis is that the team was in development mode. What emerged in 2024 looks purpose-built for long-term covert access, not one-shot data grabs.

The Modern Toolkit

The new arsenal has three components:

SlimAgent is a keylogger and data collector — screen captures, clipboard contents, keystrokes. CERT-UA found it on a Ukrainian governmental machine in April 2024. Simple, efficient, hard to detect. ESET found earlier samples in their telemetry dating back to 2018, deployed against governmental entities in two European countries.

BeardShell executes PowerShell commands but routes its command-and-control traffic through a legitimate cloud provider. ESET didn't name the provider, which is standard practice to avoid tipping off the operator. The obfuscation technique BeardShell uses appears in Xtunnel, Sednit's older network-pivoting tool from the 2010s — same code shop, same tricks.

Covenant is the one that took the most work. Sednit took the open-source Covenant C2 framework and reworked it significantly for long-term espionage operations, adding a custom network protocol that also runs over a legitimate cloud provider. BeardShell and Covenant are deployed together, each using a different cloud provider, giving the operation redundancy. If one C2 channel gets blocked, the other stays live.

The Attribution Trail

ESET's approach here is notable: they're attributing these new tools to the same developers who built Sednit's 2010s arsenal, not just to the broader APT group. The evidence is code-level — shared obfuscation techniques, identical implementation patterns, and in the case of SlimAgent, a six-step data collection loop that matches samples from 2018.

The GRU connection is well-established. The 2018 US DOJ indictment named specific members of Unit 26165 as developers of Xagent, Sednit's flagship 2010s backdoor. ESET is essentially showing that those same developers — or their direct successors — are the ones who built BeardShell and Covenant.

That's meaningful. It's not a copycat. It's the same team, with a modernized playbook.

The Cloud C2 Problem

Using legitimate cloud providers for command-and-control is not a new technique — it's been documented across multiple APT groups for years. But Sednit's implementation here is worth paying attention to because of the redundancy: two implants, two different cloud providers, both running normal-looking HTTPS traffic.

Traditional network detection approaches flag known-malicious IPs and domains. When your C2 traffic looks identical to normal API calls to a major cloud service, that detection method fails. This is why behavioral detection and endpoint telemetry matter more than ever. The network perimeter isn't going to save you here.

What It Means

If you're in Ukrainian government or military networks, or in Eastern European governmental organizations more broadly, this research is directly relevant to your threat model. These aren't theoretical findings — BeardShell and Covenant have been deployed in active operations across 2025 and 2026.

For everyone else: APT28 has been conducting espionage operations for over two decades and they keep getting more sophisticated. The DNC hack, TV5Monde, the Bundestag — those were the visible operations. The surveillance of Ukrainian military personnel happening right now is what the modern version of this group actually does day to day.

The full technical writeup from ESET, including indicators of compromise, is worth reading if this sits inside your threat landscape. CybrPulse flagged the story the same day it published.

*CVE assignments for BeardShell and Covenant have not been issued at time of publication.*