Security researchers have recently been tracking the reemergence of the Sednit APT group's advanced development team, and since April 2024, the Russian-linked threat actor has deployed a sophisticated, dual-implant toolkit—BeardShell and Covenant—leveraging legitimate cloud services for resilient, long-term espionage, particularly against Ukrainian military targets.

The Sednit group is also known as APT28, Fancy Bear, or Forest Blizzard, and the Department of Justice has linked it to Russia’s GRU military intelligence (Unit 26165) and numerous high-profile intrusions, including the 2016 DNC breach. The group had scaled back its use of custom high-end malware since 2019, focusing instead on simpler phishing operations. However, new findings from ESET researchers confirm the group’s return to sophisticated tradecraft.

“Our account of modern Sednit activities begins with SlimAgent, an espionage implant discovered on a Ukrainian governmental machine by CERT-UA in April 2024. SlimAgent is a simple yet efficient spying tool capable of logging keystrokes, capturing screenshots, and collecting clipboard data,” the ESET analysis says. 

“Interestingly, we identified in ESET telemetry previously unknown samples with code similar to SlimAgent, which were deployed as early as 2018 – six years before the Ukrainian case – against governmental entities in two European countries. These samples exhibit strong code-level similarities with SlimAgent, including an identical six-step data-collection loop, shown in Figure 2. Each step is implemented in a nearly identical manner, as illustrated in Figure 3 with the routine responsible for logging the foreground window’s executable; the only differences lie in the layout of the internal data structures.”

A Toolkit Built for Resilience

The modern Sednit arsenal is centered on two highly-developed implants, deployed systematically in tandem to ensure persistent access:

  1. BeardShell: A custom-developed, sophisticated implant capable of executing PowerShell commands. Its key feature is the abuse of the legitimate cloud storage service Icedrive as its Command and Control (C&C) channel. This requires the developers to continuously adapt the implant to changes in Icedrive's private API, demonstrating significant ongoing development effort.
  2. Covenant: An extensively modified version of the open-source .NET post-exploitation framework. Sednit heavily reworked Covenant, replacing its original architecture with features adapted for long-term espionage, such as a deterministic machine-naming scheme. Crucially, Sednit added a new cloud-based network protocol, utilizing the Filen cloud provider in its latest variants (after experimenting with pCloud and Koofr).

This dual-implant strategy, with each tool leveraging a different cloud provider, allows operators to rapidly restore access if the infrastructure of one implant is compromised or taken down.

Code Lineage Confirms Developer Continuity

Analysis of the new toolsets by ESET’s research team showed surprising code-level links to Sednit’s flagship implants from the 2010s, strongly suggesting continuity within the group's advanced development team:

  • SlimAgent and Xagent: The initial 2024 attack in Ukraine saw the deployment of SlimAgent, a keylogger. Researchers determined that SlimAgent is a direct evolution of Xagent’s keylogging module, Sednit's primary backdoor from 2012 to 2018. They share highly specific features, including a nearly identical data-collection loop and the use of the same distinct color scheme for generating espionage logs in HTML format.
  • BeardShell and Xtunnel: BeardShell contains a rare and mathematically distinctive code obfuscation technique known as an opaque predicate. Researchers found this identical obfuscation formula within Xtunnel, Sednit’s network-pivoting tool used between 2013 and 2016. The shared, unique code artifact links the new, sophisticated BeardShell directly to the group's legacy toolchain.

The combination of advanced, custom development (BeardShell) and deep adaptation of an open-source tool (Covenant), all linked to legacy code, shows that Sednit's high-end development capabilities have not diminished. This reemergence suggests either a shift in operational focus, potentially reactivated following geopolitical events in Ukraine, or a previously concealed advanced operation that has now become visible.

Researchers and law enforcement agencies have been tracking Sednit operators for many years, and in 2018 the Justice Department indicted more than a dozen Russian nationals who are allegedly part of the GRU Sednit team. 

  • Recent Posts

  • Recent Comments

    No comments to show.