ESET says the Russian state-sponsored group APT28 has used two implants called BEARDSHELL and COVENANT since April 2024 to conduct long-term surveillance of Ukrainian military personnel. The company said the campaign was aimed at maintaining persistent access to systems used by members of the Ukrainian military.
APT28, also tracked as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and STRONTIUM, has long been linked to Russia’s General Staff Main Intelligence Directorate, or GRU. ESET said the group used BEARDSHELL together with COVENANT as part of an espionage operation focused on intelligence collection rather than disruptive attacks.
According to the report, the operation has been active since April 2024, showing that the attackers maintained access over an extended period. ESET said the malware set was used to support long-term surveillance of Ukrainian military targets, extending APT28’s track record of operations aligned with Russian state interests.
The latest activity adds to Cyberwarzone’s prior coverage of the group, including an earlier APT28 campaign targeting the financial sector, and fits into the broader pattern described in Cyberwarzone’s cyber warfare overview, where state-linked actors use custom implants for long-term access against military and strategic targets.
ESET’s findings place the campaign squarely in the cyber-espionage category. The report said the two implants were used to facilitate long-term surveillance of Ukrainian military personnel, underscoring APT28’s continued focus on Ukraine-related intelligence gathering.
