APT28 Strikes Ukraine: Cyber Espionage Escalates

Russian-Linked Hackers Exploit Communication Platform Vulnerabilities in Strategic Attacks Targeting Government Entities

Prepared June 2025

Author: Luca Pellegrini

Download the full report here:

Situation Overview

Russian cyber espionage group APT28, also known as Fancy Bear, has escalated its cyber warfare against Ukraine, exploiting vulnerabilities in communication platforms like Signal and webmail services. This recent wave of sophisticated attacks targets Ukrainian government entities, aiming to extract sensitive information through advanced malware deployment and meticulously orchestrated phishing campaigns.

APT28, long associated with the Russian state and widely suspected of involvement in various high-profile global cyber incidents, including the hacking of the Democratic National Committee (DNC) in the United States, has consistently demonstrated high levels of operational skill and resourcefulness. Known for employing advanced malware and covert communication channels, the group's recent attack leverages previously undisclosed software vulnerabilities to infiltrate secure communication channels.

The Computer Emergency Response Team of Ukraine (CERT-UA) recently identified two novel malware strains used by APT28: BEARDSHELL, a sophisticated C++-based backdoor, and COVENANT, an advanced memory-resident framework. BEARDSHELL notably exploits the Icedrive API to facilitate the covert transfer of stolen data and execution of malicious scripts.

Deploying COVENANT Framework via Malicious Macros and Hidden Shellcode 

The attackers utilized cross-site scripting (XSS) vulnerabilities present in popular webmail software such as Roundcube, Horde, MDaemon, and Zimbra. The infiltration began with carefully crafted phishing messages sent via Signal, which included links or attachments disguised as legitimate documents. Upon interacting with these malicious links or attachments, users unknowingly triggered the download of macro-laced Microsoft Word documents. These documents, once opened, executed embedded macros that dropped two specific payloads onto the compromised system: a malicious Dynamic Link Library (DLL) file and a benign-looking PNG image containing hidden shellcode.

The malicious DLL file performed registry modifications to ensure persistent execution, launching itself automatically each time File Explorer was opened. The DLL’s primary function was to extract and execute the embedded shellcode from the PNG image. This shellcode activated the memory-resident COVENANT framework, which subsequently downloaded and installed additional payloads, including the BEARDSHELL backdoor. This backdoor enabled attackers to remotely execute PowerShell scripts and exfiltrate the results back to their infrastructure via encrypted channels using the Icedrive API.

More about BEARDSHELL

BEARDSHELL is a post-exploitation, fileless backdoor written in Bash, commonly used in advanced persistent threat (APT) operations to maintain stealthy control over compromised systems. It is typically deployed after an attacker has already gained access, such as via phishing or exploiting a vulnerability.

It functions by establishing a covert reverse shell connection to a remote command-and-control (C2) server, allowing the attacker to execute arbitrary shell commands. Since it operates entirely in memory, it avoids writing files to disk, thereby evading detection by antivirus and file integrity monitoring tools. BEARDSHELL adapts its behavior based on the environment by checking the host operating system and kernel version.

For evasion, BEARDSHELL does not leave a file footprint and may use obfuscation techniques such as base64 encoding and eval to mask its true functionality. It avoids using external binaries, relying instead on built-in shell commands to avoid triggering alerts from endpoint detection and response (EDR) solutions.

Its communication with the C2 server typically uses standard protocols like HTTP or HTTPS to blend in with legitimate traffic. The payloads it transmits may be encrypted or encoded to further reduce the risk of network-based detection.

BEARDSHELL is not inherently persistent, meaning it does not automatically survive reboots. However, persistence can be manually configured by integrating it into cron jobs, modifying SSH configuration files, or manipulating environment variables.

BEARDSHELL can also be employed in red team assessments and adversary emulation scenarios to test the detection and response capabilities of security infrastructure.

Such highly strategic attacks underscore APT28’s adaptive capabilities, showing meticulous preparation and execution to exploit common software vulnerabilities effectively. The repercussions of these cyber aggressions extend beyond immediate data theft. They pose significant risks to national security, potentially compromising sensitive military and diplomatic communications, and destabilizing government operations.

International cybersecurity experts warn of broader implications, highlighting vulnerabilities within common communication infrastructures widely adopted by governments and enterprises. The utilization of trusted messaging services for initial compromise magnifies the potential impact, undermining user confidence in secure communications.

APT28: History, Modus Operandi, and Previous Attack Methodology

APT28, also known by several aliases including Fancy Bear, Sofacy, Sednit, BlueDelta, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, TA422 and STRONTIUM, is a sophisticated cyber espionage entity that has been strongly associated with the Russian state. The group has been active since at least 2007, and throughout its history, it has carried out targeted cyber-attacks on governments, military organizations, security institutions, and various private entities around the world. Notably, APT28 was implicated in significant cyber incidents, including the 2016 hacking of the Democratic National Committee (DNC) in the United States.

The modus operandi of APT28 is distinguished by its sophisticated use of operational security measures and highly advanced technical techniques. The group often engages in spear-phishing campaigns, sending specifically tailored and convincing emails designed to deceive targets into either revealing sensitive credentials or executing malicious payloads. Additionally, the group frequently exploits zero-day vulnerabilities—previously undisclosed flaws in software—to breach secure communication channels, particularly targeting communication tools such as webmail platforms and encrypted messaging applications like Signal.

APT28 consistently employs advanced malware that is custom-developed for its operations. This malware typically includes sophisticated backdoors, enabling persistent and covert access to compromised systems. The group's approach involves maintaining stealth to avoid detection and sustain long-term control over the infected systems. Communication with command and control servers is typically encrypted, further enhancing the secrecy and effectiveness of their operations.

Recommendations

To defend against such sophisticated threats, cybersecurity analysts recommend several critical steps. Organizations must prioritize updating and patching software vulnerabilities, particularly in webmail platforms, to prevent exploitation through known weaknesses.

Regular penetration testing and vulnerability assessments should become integral to organizational cybersecurity strategies, employing robust tools such as Nmap for network scanning and OpenVAS for vulnerability management.

Awareness and continuous training programs aimed at recognizing phishing attempts are crucial. Additionally, monitoring network traffic for suspicious activities, especially involving domains like "app.koofr.net" and "api.icedrive.net," is strongly advised to detect early stages of compromise.

The ongoing threat posed by APT28 emphasizes an urgent need for enhanced cybersecurity vigilance and proactive defense measures. Organizations must adapt to evolving threats, recognizing the complexities of modern cyber warfare and the critical importance of securing communication channels against highly capable adversaries.