APT28 Operation Phantom Net Voxel
Summary:
Sekoia.io’s research team has been closely monitoring APT28, a Russian state-backed threat actor linked to the GRU, throughout 2025. In early 2025, they received two previously unseen malware samples from a trusted partner that were later confirmed by CERT-UA to be tied to the BeardShell backdoor and the Covenant framework. Their investigation uncovered additional weaponized Office documents and infection techniques not yet publicly reported. APT28, also known as Sofacy, Fancy Bear, BlueDelta, Forest Blizzard, and other aliases, has remained highly active, targeting diplomatic and military entities, with recent activity noted across Central Asia and Tajikistan.
The infection chain typically begins with spearphishing via malicious Office documents sent over private Signal chats, exploiting urgency and authority themes. Embedded macros deploy a DLL that hides its payload in PNG images, ultimately launching Covenant’s GruntHTTPStager to establish persistence through Koofr cloud storage. From there, additional modules such as BeardShell are retrieved, which use icedrive cloud storage for command-and-control and PowerShell execution. These malicious documents consistently mimic Ukrainian military administrative paperwork, suggesting targeting of frontline soldiers, logistics personnel, or military HR to gather intelligence on attrition, readiness, and equipment flows.
Security Officer Comments:
Technical analysis revealed the use of COM hijacking for persistence, DLL proxying to maintain functionality while injecting malicious code, and steganography to embed shellcode inside image files. Covenant was customized with Koofr API integrations to handle reconnaissance and payload delivery, while BeardShell used icedrive to poll for commands and execute them covertly. An additional implant, SlimAgent, found on the same servers, included keylogging and screenshot capabilities, though its exact link to the chain remains unconfirmed.
Suggested Corrections:
Link(s):
https://blog.sekoia.io/apt28-operation-phantom-net-voxel/
Sekoia.io’s research team has been closely monitoring APT28, a Russian state-backed threat actor linked to the GRU, throughout 2025. In early 2025, they received two previously unseen malware samples from a trusted partner that were later confirmed by CERT-UA to be tied to the BeardShell backdoor and the Covenant framework. Their investigation uncovered additional weaponized Office documents and infection techniques not yet publicly reported. APT28, also known as Sofacy, Fancy Bear, BlueDelta, Forest Blizzard, and other aliases, has remained highly active, targeting diplomatic and military entities, with recent activity noted across Central Asia and Tajikistan.
The infection chain typically begins with spearphishing via malicious Office documents sent over private Signal chats, exploiting urgency and authority themes. Embedded macros deploy a DLL that hides its payload in PNG images, ultimately launching Covenant’s GruntHTTPStager to establish persistence through Koofr cloud storage. From there, additional modules such as BeardShell are retrieved, which use icedrive cloud storage for command-and-control and PowerShell execution. These malicious documents consistently mimic Ukrainian military administrative paperwork, suggesting targeting of frontline soldiers, logistics personnel, or military HR to gather intelligence on attrition, readiness, and equipment flows.
Security Officer Comments:
Technical analysis revealed the use of COM hijacking for persistence, DLL proxying to maintain functionality while injecting malicious code, and steganography to embed shellcode inside image files. Covenant was customized with Koofr API integrations to handle reconnaissance and payload delivery, while BeardShell used icedrive to poll for commands and execute them covertly. An additional implant, SlimAgent, found on the same servers, included keylogging and screenshot capabilities, though its exact link to the chain remains unconfirmed.
Suggested Corrections:
- Disable and restrict macros: Block Office macros from running in documents received externally and enforce group policies that prevent VBA execution from untrusted sources.
- Detect persistence techniques: Continuously monitor for COM hijacking attempts, unusual registry changes.
- Control cloud service usage: Apply strict policies for third-party cloud storage and use CASB/DLP tools to detect or block abnormal file transfers.
- Strengthen endpoint defenses: Leverage EDR/XDR solutions to identify behaviors such as DLL proxying, steganography in image files, and unauthorized code execution in user directories.
- Enhance user awareness: Train staff to recognize spearphishing attempts that exploit urgency or authority, and encourage prompt reporting of suspicious documents or messages.
Link(s):
https://blog.sekoia.io/apt28-operation-phantom-net-voxel/