UAC-0001 (APT28) Cyberattacks Against Government Agencies Using BEARDSHELL and COVENANT
Summary:
Between March 2024 and May 2025, Ukrainian cybersecurity authorities investigated a cyber campaign attributed to UAC-0001, APT28, targeting government entities. The attackers deployed two custom malware tools, BEARDSHELL and SLIMAGENT, and leveraged components of the COVENANT C2 framework.
Initial access was achieved via a malicious Microsoft Word document (Act.doc) delivered through Signal. The document contained a macro that installed a COM-hijacked DLL loader, and dropped additional payloads. The campaign made extensive use of legitimate cloud APIs—Icedrive and Koofr—to control infected systems and exfiltrate data, helping the threat actors blend in with normal traffic and evade detection.
Security Officer Comments:
This hack is a confirmation that APT28 is getting more skilled at using different tools to infiltrate systems and steal information secretly. They used tools like COVENANT, specialized malware, and trusted cloud apps in attempts to go unnoticed and have control of the infected computers.
One of the primary concerns is that they employed Signal, an end-to-end encrypted messaging application, to transmit the offending files. That said, it is difficult for security software to identify them. The attackers also seemed to have spent a great deal of time researching the victim, so they could just as well have done that instead or even had inside help.
Suggested Corrections:
- Macro Hardening
Disable macros from untrusted sources by default, and use Office Group Policy to enforce macro restrictions. - COM Hijacking Detection
Regularly audit and monitor unusual, or recently modified, InProcServer32 registry keys, and flag non-standard DLL paths. - Cloud API Monitoring
Inspect network traffic for connections to api.icedrive.net, and app.koofr.net, and implement alerting on anomalous file transfers involving these services. - Email and Messaging Control
Restrict or monitor use of encrypted messaging apps, such as Signal, on official endpoints, and use DLP solutions to inspect metadata and endpoint behavior. - Host-Based Protections
Ensure EDR solutions detect COM-based persistence, and block execution of unsigned DLLs from temporary directories or user profile locations. - Incident Response Readiness
Maintain, and routinely test, response playbooks that cover detection and removal of memory-resident malware. Share discovered indicators—file hashes, paths, registry keys, and C2 domains—with SIEM and threat intelligence platforms.