A notorious Russian state-sponsored hacking group known as APT28 is reportedly using Signal, the popular encrypted messaging app, to deliver malware in targeted cyberattacks against Ukrainian government officials.
According to CERT-UA, Ukraine’s cybersecurity response team, the attackers deployed two previously unknown malware strains, named BeardShell and SlimAgent, through Signal-based phishing tactics. It’s important to note that this does not indicate a vulnerability in Signal itself. Instead, the app is being used by attackers simply because of its growing popularity among global government and military users.
The campaign was first identified in March 2024, but details were limited until May 2025, when cybersecurity firm ESET alerted CERT-UA about unauthorized access to a gov.ua email account. Further investigation revealed that attackers had sent a malicious document, disguised as “Акт.doc”, via Signal. When opened, the file used macros to deploy Covenant, a memory-resident backdoor that acts as a malware loader.
Covenant then fetched two files: a DLL file (PlaySndSrv.dll) and a WAV audio file containing embedded shellcode. This combination triggered the execution of BeardShell, a C++ malware that downloads and runs encrypted PowerShell scripts. These scripts are decrypted using ChaCha20-Poly1305 and send stolen data to APT28’s servers via the Icedrive API.
To remain undetected, both Covenant and BeardShell use COM hijacking to establish persistence by modifying the Windows registry.
In earlier attacks during 2024, CERT-UA had also identified another tool named SlimAgent. This malware captures screenshots using low-level Windows API functions, encrypts the images using AES and RSA, and stores them locally, likely to be sent later to APT28’s servers.
CERT-UA has officially attributed the activity to APT28, also tracked as UAC-0001, and advises organizations to monitor connections to app.koofr.net and api.icedrive.net, which are being used in the campaign.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
APT28 is no stranger to cyberespionage. Over the years, the group has launched high-profile attacks across Ukraine, the U.S., and Europe. In late 2024, they were exposed for using an unusual “nearest neighbor” technique to hack devices via nearby Wi-Fi networks.
