APT28 Hackers Leverage Customized Covenant Tool for Sophisticated Attacks

Post Views: 6

Russian State-Sponsored Hackers Employ Customized Covenant Tool in Attacks

The APT28 hacking group, also known as Fancy Bear, Forest Blizzard, Strontium, and Sednit, has been observed using a modified version of the open-source Covenant tool in recent attacks. This development marks a significant shift in the group’s tactics, as they have historically been associated with the development of high-end implants and breaches of prominent entities, including the German Parliament and multiple French organizations.

Modified Covenant Tool and Dual-Implant Approach

According to researchers at ESET, the Russian group began using the Covenant tool in April 2024, in conjunction with another implant known as BeardShell. This dual-implant approach has enabled the group to conduct long-term surveillance of Ukrainian military personnel. The attacks have exploited the CVE-2026-21509 vulnerability in Microsoft Office, utilizing malicious DOC files to gain initial access.

The Covenant tool, which is a .NET post-exploitation framework, has been heavily modified by the attackers to include deterministic implant identifiers tied to host characteristics, modified execution flow to evade behavioral detection, and new cloud-based communication protocols.

Covenant Tool Modifications and Cloud-Based Communication

The group has also used the Filen cloud provider with Covenant since July 2025, having previously utilized Koofr and pCloud services. BeardShell, on the other hand, is a modern implant that leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication.

BeardShell is capable of executing PowerShell commands in a .NET runtime environment and has been used in conjunction with SlimAgent, a keylogging implant deployed in a Ukrainian government system.

APT28’s Advanced Malware Development Team

ESET researchers believe that APT28’s advanced malware development team returned to activity in 2024, providing the group with new long-term espionage capabilities. The technical similarities between the current malware and 2010-era malware suggest continuity in the threat group’s development team.

Shift in Tactics and Ongoing Use of Customized Tools

The use of the Covenant tool as the primary implant, with BeardShell serving as a fallback, indicates a shift in the group’s tactics. The attackers have made significant modifications to Covenant to establish it as their primary espionage implant, keeping BeardShell mainly as a fallback in case Covenant encounters operational issues.

The ongoing use of these customized tools by APT28 highlights the group’s continued focus on developing sophisticated malware for use in targeted attacks. As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and implement robust security measures to protect against such threats.