Uncovering the Stealthy Data Thief: A Decade of Secret Surveillance
A Sophisticated Spy Tool Has Been Stealing Data from Ukrainian Military Personnel for Years
Researchers at ESET have uncovered a complex espionage operation conducted by the Sednit group, a threat actor linked to Russia’s Main Intelligence Directorate.
The Espionage Operation
The group has been using a modern toolkit, comprising two complementary implants, to surveil Ukrainian military personnel since at least April 2024.
The toolkit’s dual-implant architecture relies on two separate cloud providers to ensure operational resilience.
The Implants
The implants, known as BeardShell and Covenant, have been used in conjunction to collect sensitive data from high-value targets.
BeardShell, a sophisticated implant, is capable of executing PowerShell commands within a .NET runtime environment.
It leverages the legitimate cloud storage service Icedrive as its Command and Control (C2) channel.
ESET researchers have assessed with high confidence that BeardShell is part of Sednit’s custom arsenal, based on its shared use of a rare obfuscation technique and co-location with another implant, SlimAgent.
SlimAgent, a simple yet efficient spying tool, was discovered on a Ukrainian governmental machine in April 2024.
It is capable of logging keystrokes, capturing screenshots, and collecting clipboard data.
ESET identified previously unknown samples of SlimAgent, which were deployed as early as 2018 against governmental entities in two European countries.
This suggests that SlimAgent is an evolution of the Xagent keylogger module, a custom toolset used exclusively by the Sednit group for over six years.
Covenant
Covenant, an open-source .NET post-exploitation framework, has been repurposed by Sednit for espionage operations.
It provides over 90 built-in tasks, supporting capabilities such as data exfiltration, target monitoring, and network pivoting.
Sednit developers have modified Covenant to establish it as their primary espionage implant, using it to maintain persistent access to high-value targets.
Deployment and Evolution
Since 2023, Sednit has systematically deployed Covenant alongside BeardShell in long-term espionage operations targeting Ukrainian military personnel.
In 2025, ESET’s analysis of Sednit-controlled Covenant cloud drives revealed machines that had been monitored for over six months.
In January 2026, Sednit also deployed Covenant in a series of spearphishing campaigns exploiting the CVE-2026-21509 vulnerability.
The sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s developers remain capable of producing advanced custom implants.
The shared code and techniques linking these tools to their 2010-era predecessors suggest continuity within the development team.
The Sednit group’s ability to adapt and evolve its toolkit has enabled it to conduct sustained surveillance of Ukrainian military personnel for years.
The Sednit group was tied to Unit 26165 of the GRU by the US Department of Justice in 2016, identifying it as part of Russia’s Main Intelligence Directorate.
The group’s activities have been consistently linked to Russian intelligence operations, highlighting the ongoing threat posed by nation-state actors to global cybersecurity.
About Author
English