The Russia-linked Sednit threat group has resumed sophisticated cyberespionage campaigns using a new custom toolkit, after years of relying on simpler methods. The toolkit features two implants: "BeardShell," which uses a legitimate cloud service for stealthy communications, and "Covenant," a heavily modified open-source tool for data theft and surveillance, now the group's primary espionage tool. These campaigns, currently targeting Ukrainian military assets, demonstrate a return to advanced malware development and a tactic of using legitimate cloud services to evade detection. The group, also known as APT28 or Fancy Bear, is linked to Russian military intelligence and is historically responsible for numerous high-profile attacks.
Russian Threat Actor Sednit Resurfaces With Sophisticated Toolkit
After several years of using simple implants, the Russia-affiliated actor is back with two new sophisticated malware tools.
After years of mysteriously shunning custom malware, Russia's infamous Sednit threat group is back to using a bespoke toolkit in recent cyberespionage campaigns targeting Ukrainian cyber assets.
At the toolkit's core are two implants, one of which uses techniques from a malware framework that Sednit used back in the 2010s, while the other is a heavily modified open-source malware for long-term spying.
A New Toolkit
Researchers at ESET uncovered the malware when investigating a breach in Ukraine that happened in 2024 and involved the use of a keylogger called SlimAgent that was also based on Sednit code from more than 10 years ago. Alongside the keylogger, ESET discovered another malware implant they are tracking as BeardShell that allows the attacker to execute PowerShell commands on compromised systems while using the legitimate cloud service Icedrive for command and control (C2) communications.
Further investigation showed Sednit using Beardshell in concert with Covenant, a sophisticated, heavily reworked version of an open-source implant supporting a range of capabilities including data exfiltration, lateral movement, and target monitoring. The malware, ESET discovered, has become Sednit's espionage tool of choice with Beardshell acting as more of a backup in situations where a victim might discover Covenant.
"The main takeaway is that Sednit has returned with renewed malware development and is once again running sophisticated cyber-espionage campaigns," says an ESET researcher, who did not want to be named.
For defenders, the key lesson is that the group now combines custom implants with legitimate cloud services for command-and-control, making their activity harder to detect through traditional network monitoring, the researcher says. "In addition, taking down their cloud infrastructure is complicated because they deploy a pair of implants in parallel, each relying on a different cloud provider." While the current targets appear to be Ukrainian military personnel, the group could broaden its focus depending on how Russia's war in Ukraine evolves, the researcher adds.
Sednit, tracked variously as Fancy Bear, APT28, Fancy Bear, Forest Blizzard, and Sofacy, is a threat actor that US authorities and others have linked to the intelligence directorate of the Russian military. The group has been active since 2004 and is associated with a long list of campaigns, the most notorious of which include an attack on the Democratic National Committee in 2016, the German Parliament in 2015, the World Anti-Doping Agency, and more recently against multiple logistics and IT firms.
Like other advanced persistent threat actors, Sednit used custom implants, espionage backdoors, and specialized tools for lateral movement and data theft in many of its earlier campaigns. But starting sometime in 2019, and for reasons that vendors like ESET don't fully understand, Sednit stopped using these sophisticated tools and instead began deploying relatively simple implants via phishing emails in most of its campaigns.
One possibility is that Sednit resumed its advanced malware development efforts following the Russian invasion of Ukraine. "Another is that the group never stopped developing its tools but remained discreet, only emerging from the shadows again as the war increased the demand for cyber-espionage," the researcher says. "The shared code lineage with older Sednit malware suggests that the same development team has continued maintaining and evolving its toolkit over time."
Intense Development Efforts?
BeardShell, according to ESET, is malware that "bears the marks of intense development efforts." The company pointed to Sednit's successful integration of Icedrive for Beardshell's C2 communications as one indication of that effort. Because Icedrive does not publish a public API, the threat actor reverse-engineered the official client to replicate its communications, And when service changes disrupt the malware's access, the developers quickly release updates, indicating an active and well-resourced development team, ESET said.
Covenant, meanwhile, is a custom-modified version of an open source .NET post exploitation framework that supports over 90 functions for conducting long-term cyber espionage. ESET found Sednit developers made multiple modifications to the malware since 2023 to make it their primary malware tool.
BeardShell, according to the ESET researcher, is a completely new implant, though it uses an obfuscation technique that Sednit used in Xtunnel, a network-pivoting tool from the 2010s. The malware "is essentially a PowerShell interpreter, which operators primarily used to redeploy Covenant, suggesting that Covenant is the preferred implant for day-to-day espionage operations," the researcher says.
Both BeardShell and Covenant rely on new custom loading chains that are frequently updated by their developers, making detection something of a cat-and-mouse game. Their reliance on different legitimate cloud infrastructures for C2 communications also makes the malware difficult to block. "It is also worth noting that Sednit typically compromises its targets through social engineering over Signal Desktop or WhatsApp Desktop, persuading them to open Trojanized Excel or Word documents. In some cases, the attackers even call their targets to increase the chances of success," the researcher says.
Meridiano
