APT28 Is Back With New Implants and Your Cloud Storage Is the C2

CybrPulse

CybrPulse

3 min read
APT28 Is Back With New Implants and Your Cloud Storage Is the C2

APT28 went quiet on custom malware for a few years. Security teams moved on. That was the point.

ESET published research this week documenting the full reactivation of Sednit's advanced implant development team — the same crew behind Xagent, Xtunnel, and the 2016 DNC hack. They've been building again since at least April 2024, and they've been inside Ukrainian military networks for stretches of six months or more without being caught.

The group, also tracked as Fancy Bear, Forest Blizzard, and GRU Unit 26165, didn't just dust off old tools. They built something new that deliberately abuses legitimate cloud storage for command and control — and the code fingerprints trace directly back to implants from 2013.

What They Built

The new toolkit revolves around two paired implants: BeardShell and a heavily modified version of the open-source Covenant framework.

BeardShell is a .NET implant that executes PowerShell commands via a legitimate cloud storage provider used as the C2 channel. The initial version used Icedrive. When Icedrive's API changed and disrupted communications, the developers patched BeardShell within hours and pushed an update. That's not opportunistic malware — that's a dedicated team with operational continuity requirements.

The obfuscation in BeardShell includes an opaque predicate — a loop condition using the formula `2(x²+1)+2 = y²+5` — that has no integer solution and exists purely to confuse static analysis tools. ESET found this exact technique in Xtunnel, Sednit's network-pivoting tool from 2013–2016. Same developers. Same tricks. Just updated delivery.

Covenant is more interesting. It's an open-source .NET post-exploitation framework that its original authors abandoned in April 2021. Sednit picked it up, gutted it, and rebuilt the C2 layer to use cloud providers instead of direct infrastructure. The C2 channel evolved from pCloud (2023) to Koofr (2024–2025) to Filen starting July 2025.

Why cloud providers? Because outbound traffic to Icedrive, Filen, or Koofr looks like a user syncing files. Network-based detection built around blocked domains and suspicious IPs doesn't catch it. You need behavioral detection watching what's executing — and even then, it's .NET runtime launching PowerShell, which isn't automatically suspicious.

SlimAgent rounds out the toolkit as the initial access foothold. It's a keylogger and clipboard stealer derived from Xagent's `RemoteKeyLogger.dll` module — same six-step data collection loop, same API calls, same HTML log format. ESET found samples going back to at least 2018.

CVE-2026-21509: The Active Exploit

In January 2026, CERT-UA reported that Sednit was deploying Covenant via spearphishing campaigns exploiting CVE-2026-21509. If you haven't patched this across all affected systems, do it now. Sednit's spearphishing operations are targeted and convincing — they've been doing this since before most of your staff joined the industry.

The Dual-Implant Strategy

Running BeardShell and Covenant simultaneously across different cloud providers isn't redundancy for its own sake. It's designed so that if one C2 infrastructure gets disrupted — takedown, domain block, service suspension — the other channel remains active and the operators keep access. ESET documented cases where Ukrainian military targets were monitored continuously for over six months in 2025.

Six months of persistent access means they weren't just stealing data. They were watching operations, tracking personnel, and timing information collection to coincide with real-world military activity.

What to Do

Three things, in order of urgency:

1. Patch CVE-2026-21509. CERT-UA confirmed active exploitation in January. Sednit's phishing campaigns are targeted, but the vulnerability gets you regardless of how good your phishing training is.

2. Watch your cloud storage traffic. Anomalous read/write patterns to Icedrive, Filen, Koofr, or pCloud — especially from endpoints that have no business reason to use those services — should trigger investigation. This is particularly true in defense, government, and military supply chain environments.

3. Hunt for the implants. ESET published IoCs on their GitHub. Run them against your environment. Look specifically for unexplained HTML-formatted keylog artifacts, .NET runtime processes spawning PowerShell, and deterministic machine-based naming in any Covenant-style implant artifacts. SlimAgent samples trace back to 2018 — if you find one, assume prolonged access.

The Bigger Picture

Sednit going quiet from 2019 to 2024 wasn't retirement. It was a development cycle. They came back with cleaner code, better operational security, and a C2 infrastructure that blends into legitimate network traffic. The code lineage to 2010s implants is damning from an attribution standpoint — but it also means this capability was never dismantled. It was maintained, updated, and redeployed when the mission required it.

If your detection posture is still oriented around Sednit's 2016–2019 phishing-heavy profile, you're looking at the wrong version of the adversary.

*Source: ESET Research — Sednit reloaded: Back in the trenches*

Read more