UAC-0001 (APT28) Activity Detection: The russian State-Sponsored Group Targets Government Agencies Using BEARDSHELL and COVENANT Malware

The nefarious nation-backed russian hacking collective known as UAC-0001 (aka APT28) reemerges in the cybersecurity spotlight. Over a year ago, in the spring of 2024, the CERT-UA team was investigating an incident targeting state executive bodies and identified a Windows-based server. In May 2025, ESET shared timely intelligence indicating unauthorized access to an email account in the gov.ua domain, evidence suggesting ongoing malicious activity targeting Ukrainian state bodies. The digital forensic investigation uncovered the use of two malicious tools by adversaries, a component of the COVENANT framework and the BEARDSHELL backdoor.

Detect UAC-0001 (APT28) Activity Based on the Latest CERT-UA Alert

The russia-linked hacking groups continue to pose significant challenges to defenders, constantly evolving their TTPs and improving their ability to evade detection. Since the onset of the full-scale war in Ukraine, russia’s nation-backed APT groups have become increasingly active, leveraging the conflict as a proving ground for novel attack methods.

CERT-UA warns defenders of an ongoing wave of attacks attributed to the GRU-backed UAC-0001 (aka APT28) hacking group leveraging COVENANT and BEARDSHELL malware, with the public sector being the primary target. Rely on SOC Prime Platform for collective cyber defense to reach a comprehensive collection of context-enriched detection content to help Ukrainian and allied organizations timely identify the intrusions and outscale cyber threats  covered in the corresponding CERT-UA alert. Click Explore Detections below to instantly drill down to the dedicated set of Sigma rules enriched with real-time threat intelligence, mapped to MITRE ATT&CK®, and compatible with dozens of SIEM, EDR, and Data Lake technologies.  

Explore Detections

Security engineers can also explore SOC Prime’s Detection-as-Code library by searching for the tags “UAC-0001” and “APT28” to quickly identify relevant content and detect adversary activity in a timely manner.

Teams can also take advantage of Uncoder AI, which acts as an AI co-pilot, supporting detection engineers end-to-end while streamlining workflows and enhancing coverage. Uncoder AI enables automated conversion of IOCs from the relevant CERT-UA research into custom hunting queries that are ready to run in the selected SIEM or EDR instance to instantly search for UAC-0001 attacks. 

For customers leveraging Microsoft Defender for Endpoint, SOC Prime curates an exclusive offer to enable automated threat hunting for APT28 and 48 more russian nation state actors. Rely on Bear Fence, a plug-and-play, always-on service fully integrated with your MDE. Automatically hunt for Fancy Bear and its siblings through an exclusive Attack Detective scenario using 242 hand-picked behavior rules, over 1 million IOCs, and a dynamic AI-driven TTP feed.

UAC-0001 (APT28) Latest Campaign Analysis

On June 21, 2025, CERT-UA researchers issued a new alert notifying defenders of the ongoing malicious activity orchestrated by the notorious russia-backed state-sponsored group tracked as APT28, which is affiliated with Unit 26165 of russia’s military intelligence agency (GRU). 

APT28 threat actors, also known by aliases such as Fighting Ursa, Fancy Bear, Forest Blizzard, STRONTIUM, Pawn Storm, or UAC-0001, have consistently targeted the Ukrainian public sector, frequently using phishing and exploitation of software vulnerabilities as attack vectors. For instance, throughout April 2023, UAC-0001 carried out a large-scale phishing campaign, distributing spoofed emails targeting multiple Ukrainian government agencies.

In April 2024, the group was observed testing a new custom tool called GooseEgg malware to exploit the critical CVE-2022-38028 vulnerability in the Windows Print Spooler, with attacks expanding beyond Ukraine to target organizations across Western Europe and North America. Later, in October 2024, attackers leveraged a PowerShell command hidden in the clipboard as an initial access technique, enabling them to carry out further malicious actions such as data exfiltration and deploying METASPLOIT malware.

In late May 2025, international cybersecurity authorities released a CISA Alert AA25-141A, detailing a cyber-espionage campaign conducted by APT28. A two-year long adversary campaign specifically targeted technology and logistics companies, with a focus on those supporting the delivery and coordination of foreign aid to Ukraine.

The latest campaign tracked by CERT-UA dates back to March–April 2024, when incident response efforts within the information and communication system of a central executive authority led to the discovery of a Windows-based server containing multiple malicious tools. One of the malware samples included BEARDSHELL, a C++-developed backdoor capable of downloading, decrypting, and executing PowerShell scripts, with results exfiltrated via the Icedrive API. During the BEARDSHELL malware infection process, each compromised host creates a unique directory named using an hash64_fnv1a hash of the computer name and hardware profile GUID.

Another malware observed in the ongoing attack by APT28 targeting state bodies was SLIMAGENT, also a C++ program designed to capture and encrypt screenshots (AES+RSA) and store them locally in the format: %TEMP%Desktop_%d-%m-%Y_%H-%M-%S.svc.

At the time of analysis, the initial infection vector and delivery method of these tools remained unknown. The discovered files were submitted to trusted cybersecurity vendors and threat researchers for further study.

In May 2025, CERT-UA received actionable intelligence from ESET indicating unauthorized access to an email account within the gov.ua domain. In response, CERT-UA, in coordination with the Cybersecurity Center of Military Unit A0334, initiated further incident response measures. As a result of the investigation, defenders revealed the presence of COVENANT framework components and the BEARDSHELL backdoor.

The initial infection stemmed from a malicious document titled “Акт.doc”, delivered via Signal messenger. The attacker, seemingly well-informed about the target, embedded a macro within the document.

Upon activation, the macro created two files and added a registry key for COM hijacking,   triggering ctec.dll during the next launch of explorer.exe. The role of ctec.dll is to decrypt and execute shellcode from windows.png, leading to the in-memory execution of COVENANT component ksmqsyck.dx4.exe, which uses the Koofr API as its C2 channel.

COVENANT was further used to deploy %LOCALAPPDATA%PackagesPlaySndSrv.dll
and %USERPROFILE%MusicSamplessample-03.wav files. The former reads shellcode from the .wav file, resulting in the launch of BEARDSHELL malware. Its persistence is ensured via another COM hijacking registry key,  which is triggered by the scheduled task. 

The key threat factors that contribute to the attack success include he exploitation of macro-enabled documents, the use of Signal messenger for payload delivery, bypassing host-based protections, and abusing legitimate services (Koofr, Icedrive) as C2 channels. 

As potential UAC-0001 (APT28) attack mitigation measures, it is recommended to audit, monitor, and restrict macro execution to prevent initial compromise via malicious documents. Additionally, organizations should analyze and limit network traffic to trusted services that may be abused for C2 communication, specifically app.koofr.net and api.icedrive.net.

As attacks attributed to the russia-linked UAC-0001 (APT28) group continue to target Ukrainian government entities and extend their reach beyond Ukraine, security teams are striving to elevate their defenses across a broader operational landscape. SOC Prime curates a complete product suite backed by AI, automation, and actionable threat intelligence to equip security teams with cutting-edge technologies for proactve cyber defense. 

MITRE ATT&CK Context

Using the MITRE ATT&CK offers detailed insight into the latest UAC-0001 (APT28) campaign, which targets Ukrainian government entities with COVENANT and BEARDSHELL malware. The table below outlines all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques.

The post UAC-0001 (APT28) Activity Detection: The russian State-Sponsored Group Targets Government Agencies Using BEARDSHELL and COVENANT Malware appeared first on SOC Prime.