Russia-linked threat group APT28, also known as Fancy Bear or Forest Blizzard, has resurfaced with a new campaign chaining weaponized Office documents to the Covenant framework and the BeardShell backdoor.
Analysis by Sekoia.io’s Threat Detection and Response (TDR) team, corroborated by CERT-UA’s June 2025 report, attributes the activity to the GRU-operated cyber unit (GTsSS, Military Unit 26165).
The campaign targets Ukrainian military personnel through spearphishing messages delivered over the encrypted messaging application Signal.
Using Signal as an Infection Vector
Unlike traditional phishing channels, attackers used Signal Desktop to send malicious Word documents disguised as Ukrainian military or administrative paperwork.
The choice of Signal is strategic: its desktop version does not enforce Microsoft’s Mark of the Web (MOTW) security tag, allowing macros to execute even when documents are downloaded from external sources.
Upon opening the file, macros activate a multistage payload chain. They alter document view settings, execute data deobfuscation routines, and register a COM hijack by creating the following registry key:HKCU\Software\classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\InProcServer32.
These key points to C:\ProgramData\prnfldr.dll, a disguised malicious library that mimics a legitimate Windows print handler. The macro also drops a second file windows.png, containing hidden shellcode.
Once executed, the DLL decrypts and extracts the shellcode embedded in the least significant bits (LSB) of the PNG pixels.
The shellcode then loads a .NET assembly identified as GruntHTTPStager from the Covenant framework, establishing an API-driven command-and-control (C2) channel via the legitimate Koofr cloud storage platform.
The malware interacts with cloud directories to upload reconnaissance results and retrieve encrypted modules, such as screenshots and network discovery tasks.
Covenant, Icedrive, and BeardShell Deployment
Further in the chain, Covenant is believed to deliver PlaySndSrv.dll and sample-03.wav, which decrypt and install BeardShell, a C++ backdoor conducting cloud-based communications through Icedrive.
BeardShell uses a simple XOR cipher for string encryption and relies on a hardcoded bearer token to connect to Icedrive accounts. Once active, it executes SystemInfo, uploads host details, and polls cloud directories every four hours for new command files.
The campaign’s weaponized Office documents impersonating legitimate Ukrainian military forms suggest a clear intelligence-gathering objective aimed at identifying unit composition, logistics, and operational resilience.
The combination of Signal-based delivery, steganography, and multi-cloud C2 channels demonstrates APT28’s continued sophistication and adaptability in conducting cyberespionage against Ukrainian military infrastructure.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
