Weaponized Documents and Cloud C2 underpin APT28’s Active 2025 Campaign

A Sekoia analysis details a 2025 spear-phishing campaign attributed to the Russian state–sponsored APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard) that aligns with CERT-UA’s reporting on BeardShell and Covenant activity. The operation’s victimology centers on Ukrainian military personnel, with lures themed around unit administration, compensation, medical claims, logistics, and personnel actions. Sekoia notes the lures are pushed over Signal, where an impersonated superior “posing as a colleague or superior, urges the recipient to open and complete the malicious Office document. By invoking compensation decisions and threatening legal action, the sender creates a false sense of urgency, manipulating the target with references to penalties and prompts to liaise with higher-level management for further details,” Sekoia identified in their analysis. The document set includes completed and test-stage files; Sekoia’s review “reveals a consistent focus on Ukrainian military administrative procedures.” Taken together, the lure themes, delivery channel, and tooling (Covenant and BeardShell) underscore an espionage and access-development effort against frontline and headquarters workflows rather than indiscriminate mass phishing, according to Sekoia.

Sekoia’s findings of the intrusion chain begins with a malicious Visual Basic macro embedded in the Word lure that performs multiple staging and persistence steps. The macro drops “C:\ProgramData\prnfldr.dll” and “%LOCALAPPDATA%\windows.png,” then validation checks for either “%ALLUSERSPROFILE%\prnfldr.dll” or “%LOCALAPPDATA%\windows.png” before proceeding. It establishes persistence with “reg.exe” by adding the malicious DLL as a COM InProcServer32 under CLSID {2227A280-3AEA-1069-A2DE-08002B30309D}, and triggers installation via “regsvr32.exe /n /i "C:\ProgramData\prnfldr.dll".” As Sekoia’s analysis explains, “Thereafter, at each user logon, explorer.exe automatically loads this server into its process space, causing the DLL’s DllMain entry point to execute on every sign-in.” The DLL (a proxy loader) extracts shellcode from “windows.png” via LSB steganography, initializes the CLR, and reflectively loads a .NET Covenant Grunt stager that connects to Koofr’s API, using a custom C2Bridge to poll and exchange tasking.

Post-compromise control relies on cloud storage APIs and staged tasking that are straightforward to instrument from a detection perspective. Once running, the Covenant component authenticates to Koofr and creates per-host directories named from a GUID, ensuring the presence of “Keeping” and misspelled “Tansfering” subfolders before continuing. The implant conducts a hybrid key exchange, then repeatedly checks “Tansfering” for operator-dropped task files; results are pushed to “Keeping.” Sekoia observed reconnaissance tasking (ARP, IP, traceroute, process lists) and screenshot capture, plus the ability to fetch additional modules, consistent with the subsequent deployment of BeardShell reported by CERT-UA. BeardShell, a C++ backdoor that abuses icedrive cloud storage for command and control, fingerprints the host with a “SystemInfo” command, launches a managed PowerShell runspace from native code, and “Every four hours, it checks the directory for operator-uploaded files,” to retrieve and execute instructions, then deletes the consumed tasking and uploads results to the workspace root, per Sekoia.

Sekoia also documents SlimAgent on an adjacent host, a spyware DLL with exfiltration and keylogging features that complements the primary toolset. SlimAgent behaves as a proxy DLL (mirroring the loader’s COM-hijack pattern), spins a worker thread only when loaded under “explorer.exe,” and persistently collects user activity. Its capabilities include screenshot capture at short intervals, clipboard theft, and a keystroke logger that is layout-aware and can trigger screenshots on enter-terminated input; staged data are aggregated and encrypted before exfiltration. Across the kill chain, APT28’s TTPs emphasize living-off-the-land execution (“regsvr32.exe,” COM hijack, “explorer.exe” load), cloud-API C2 over Koofr/icedrive, and modular tasking via Covenant to blend into enterprise traffic patterns. Sekoia characterizes the infection chain as “sophisticated and highly likely to be reused,” underscoring the need to monitor the evolving threat behaviors utilized by APT28.