Overview
- ESET reports that a heavily modified Covenant serves as the primary implant in recent operations, with BeardShell retained as a fallback for resilience.
- Recent intrusions against Ukraine’s central executive bodies leveraged malicious DOC files exploiting the Microsoft Office flaw tracked as CVE-2026-21509.
- Analysts highlight a cloud-based command-and-control pattern: Covenant variants shifted from pCloud in 2023 to Koofr in 2024–2025 and Filen since July 2025, while BeardShell uses Icedrive.
- SLIMAGENT, a keylogging implant documented by CERT-UA in June 2025, complements the toolkit with keystroke, clipboard, and screenshot capture.
- Code overlaps and techniques—such as the opaque-predicate obfuscation seen in XTunnel and lineage from XAgent to SLIMAGENT—support ESET’s assessment that APT28’s advanced developers returned to active work in 2024.