{"id":222007,"date":"2026-03-10T11:17:00","date_gmt":"2026-03-10T15:17:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/10\/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware\/"},"modified":"2026-03-10T12:55:11","modified_gmt":"2026-03-10T16:55:11","slug":"apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/10\/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware\/","title":{"rendered":"APT28 conducts long-term espionage on Ukrainian forces using custom malware"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/189230\/apt\/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html\">APT28 conducts long-term espionage on Ukrainian forces using custom malware<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/189230\/apt\/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html\">https:\/\/securityaffairs.com\/189230\/apt\/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-10 11:17:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>APT28 conducts long-term espionage on Ukrainian forces using custom malware<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> March 10, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2026\/03\/image-38.png?fit=1627%2C384&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel, enabling long-term surveillance since April 2024.<\/h2>\n<p>The Russia-linked group APT28 (aka UAC-0001, aka\u00a0Fancy Bear,\u00a0Pawn Storm,\u00a0Sofacy Group,\u00a0Sednit,\u00a0BlueDelta, and\u00a0STRONTIUM) has used BEARDSHELL and COVENANT malware to conduct long-term surveillance of Ukrainian military personnel. According to ESET, the campaign began in April 2024 and relies on custom implants designed to maintain persistent access and collect sensitive information from targeted systems.<\/p>\n<p>\u201cSince April 2024, Sednit\u2019s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience.\u201d reads the <strong>report<\/strong> published by ESET. \u201cThis dual\u2011implant approach enabled long\u2011term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group\u2019s 2010\u2011era implants.\u201d<\/p>\n<p>The\u00a0APT28\u00a0group\u00a0has been active since at least 2007 and it has targeted\u00a0governments, militaries, and security organizations worldwide.\u00a0The group was involved also in the string of attacks that targeted\u00a02016 Presidential election.<\/p>\n<p>The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).<\/p>\n<p>BEARDSHELL and SLIMAGENT are two advanced malware tools written in C++. BEARDSHELL downloads, decrypts (using ChaCha20-Poly1305), and runs PowerShell scripts, sending results via the Icedrive API. It creates a unique folder on each infected machine based on system identifiers. SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames. Both&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/189230\/apt\/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>APT28 conducts long-term espionage on Ukrainian forces using custom malware https:\/\/securityaffairs.com\/189230\/apt\/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html Publish Date: 2026-03-10 11:17:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":222008,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/03\/image-38.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32],"class_list":["post-222007","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222007"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=222007"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222007\/revisions"}],"predecessor-version":[{"id":222009,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222007\/revisions\/222009"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/222008"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=222007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=222007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=222007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}