APT28 Deploys Sophisticated BEARDSHELL & COVENANT Malware via Encrypted Messaging

Overview:Ukraine's Computer Emergency Response Team (CERT-UA) has issued an urgent alert regarding a newly discovered cyber‑espionage campaign conducted by APT28 (also known as Fancy Bear or UAC‑0001), a Russia‑linked advanced persistent threat group. The operation leverages Signal messenger to deliver two innovative malware tools — BEARDSHELL and COVENANT — targeting Ukrainian government entities and critical infrastructure therecord.media+5thehackernews.com+5thehackernews.com+5.

Key Findings

• Delivery Pipeline:Attackers send malicious Word documents via Signal chat. Once executed, the documents deploy a DLL payload (ctec.dll) and a PNG artifact (windows.png) to initiate infection thehackernews.com.

• Exploit Vectors:The attack chain exploits known vulnerabilities in outdated webmail platforms—such as Roundcube, Horde, MDaemon, and Zimbra—to facilitate initial access, using exploits including CVE‑2020‑35730, CVE‑2021‑44026, and CVE‑2020‑12641 news.com.au+2thehackernews.com+2indiatimes.com+2.

• Advanced Malware Capabilities:BEARDSHELL and COVENANT represent purpose-built toolkits for espionage, bundling remote control, data exfiltration, and persistent foothold capabilities. CERT‑UA highlights the modular design and stealth features that complicate detection efforts freepik.com+15thehackernews.com+15dreamstime.com+15.

Implications

• The use of Signal for malware distribution underscores threat actors’ adaptation to encrypted messaging to bypass traditional detection and interception methods.

• Reliance on legacy, unpatched webmail servers amplifies risk for public sector organizations still operating outdated software.

• The modular nature of these tools signals heightened sophistication and prioritization of stealth in modern cyber‑espionage campaigns.

Recommendations for Risk Mitigation

1. Harden Messaging Security:

   • Disable macro execution in Office apps unless digitally authorized.

   • Train staff to identify and report suspicious attachments even from trusted channels.

2. Patch Webmail Platforms:

   • Immediately update or decommission vulnerable webmail systems.

   • Apply security patches for known exploited vulnerabilities (notably CVE-2020-35730 and CVE-2021-44026).

3. Deploy Threat Detection:

   • Enhance endpoint monitoring for anomalous DLL/PIC behaviors, especially components dropped alongside documents.

   • Integrate behavioral threat analytics to detect lateral movement.

4. Segment and Monitor Networks:

   • Limit Signal and external chat usage on government networks.

   • Enforce network segmentation to restrict the reach of cropped infections.

Conclusion:This campaign signifies a troubling escalation in the cyber‑espionage landscape — using secure communications channels to deploy advanced malware against critical public institutions. Proactive patching, user awareness, and layered detection strategies are essential to prevent compromise.