Russian state-sponsored threat actors known as APT28 have launched a cyberattack campaign against Ukrainian government entities. The campaign exploits the Signal messaging platform to deliver two previously undocumented malware strains, BEARDSHELL and COVENANT. The attacks demonstrate an evolution in tactics as threat actors leverage trusted communication channels to bypass traditional security measures.
What happened
Ukraine's Computer Emergency Response Team (CERT-UA) revealed that APT28, also tracked as UAC-0001 and linked to Russia's GRU military intelligence Unit 26165, has been using Signal chat messages to target government officials with malware-laden documents. The campaign was first detected during incident response efforts in March and April 2024, but the full scope and infection vector remained unclear until a renewed investigation in May 2025, prompted by ESET's discovery of unauthorized access to a Ukrainian government email account ending in gov.ua.
Go deeper
The attack chain began with threat actors sending victims a Microsoft Word document titled "Акт.doc" through Signal's encrypted messaging platform. The document contains malicious macros that, when enabled, drop two files: a malicious DLL named "ctec.dll" and a PNG image file called "windows.png" containing encrypted shellcode.
The macro modifies Windows Registry entries to ensure the DLL loads when Windows File Explorer launches, establishing persistence through COM hijacking. The DLL then extracts and executes shellcode from the PNG file, deploying the COVENANT framework directly into memory. COVENANT subsequently downloads additional payloads, including a DLL file and a WAV file containing shellcode that activates the BEARDSHELL backdoor.
BEARDSHELL, written in C++, provides attackers with the ability to download and execute PowerShell scripts after decrypting them using ChaCha20-Poly1305 encryption. The malware then exfiltrates execution results to command-and-control servers using the Icedrive API, allowing attackers to blend malicious traffic with legitimate cloud service communications.
Why it matters
The exploitation of Signal, a platform widely adopted by government agencies and healthcare providers for its security features, demonstrates how threat actors are adapting to target the very tools organizations use to protect themselves.
The tactics mirror recent campaigns by APT28's sister organization APT29, which was recently caught exploiting Gmail's app-specific passwords to bypass two-factor authentication. Both Russian intelligence groups are now weaponizing trusted communication platforms and legitimate features to bypass security controls, suggesting a coordinated shift in strategy among Russian cyber operations.
The intrigue
CERT-UA's investigation also uncovered a related tool called SLIMAGENT, first observed in the March 2024 incidents. This screenshot-capturing utility uses Windows API functions to covertly capture screen images, encrypt them using AES and RSA algorithms, and store them locally with timestamped filenames for later exfiltration.
The timing of this campaign coincides with ESET's earlier reports of APT28 exploiting cross-site scripting vulnerabilities in webmail platforms including Roundcube, Horde, MDaemon, and Zimbra. In those attacks, phishing emails disguised as news articles from Ukrainian publication nv.ua deployed JavaScript exploits to steal session cookies, create email redirect rules, and conduct SQL injection attacks against over 40 Ukrainian organizations.
What they're saying
CERT-UA emphasized that "attackers, using Signal, delivered a malicious document titled 'Акт.doc' containing a macro. From their messages, it was evident the attackers had insider knowledge of the target."
The agency specifically warned organizations to monitor network traffic to domains "app.koofr[.]net" and "api.icedrive[.]net," which are associated with the malware's command-and-control infrastructure.
FAQs
What is APT28?
APT28, also known as Fancy Bear, Forest Blizzard, or UAC-0001, is a Russian military intelligence cyberespionage group linked to Unit 26165 of the GRU. Active since at least 2004, the group has targeted government, military, and civilian organizations primarily in the U.S., Europe, and countries opposing Russian interests.
Is Signal itself compromised?
No, Signal remains secure. The attackers are not exploiting any vulnerability in Signal but rather using it as a delivery mechanism for malicious documents, taking advantage of its widespread adoption and the trust users place in messages received through the platform.
What is COM hijacking?
COM (Component Object Model) hijacking is a Windows persistence technique where attackers modify registry entries to redirect legitimate Windows components to load malicious code instead. This allows malware to execute automatically when certain system processes run, making it difficult to detect and remove.
