Listen to this Post
In recent months,
the Cyberattack Campaign on Ukraine
CERT-UA recently issued a warning about a cyberattack campaign involving two newly identified malware families—BEARDSHELL and COVENANT—distributed through Signal messaging by APT28 threat actors. BEARDSHELL is a C++-based malware capable of downloading and executing PowerShell scripts, then sending execution results back to a remote server via the Icedrive API. It was first detected in early 2024 during incident response on a Windows machine, accompanied by a screenshot tool called SLIMAGENT.
While the initial infection vector was unclear, intelligence shared by cybersecurity firm ESET later revealed unauthorized access to a Ukrainian government email account (“gov.ua”), linked to a prior exploitation of webmail vulnerabilities. This followed an earlier report from a Slovak cybersecurity company exposing APT28’s exploitation of cross-site scripting (XSS) vulnerabilities in popular webmail platforms like Roundcube, Horde, MDaemon, and Zimbra. These exploits enabled APT28 to breach Ukrainian government networks.
Further investigation discovered that APT28 delivers malicious Microsoft Word documents via Signal chat. These documents contain macros that drop two payloads—a DLL file (“ctec.dll”) and a PNG image (“windows.png”). The macro alters the Windows Registry to load the DLL when File Explorer launches. The DLL then loads shellcode from the PNG, executing the memory-resident COVENANT framework. COVENANT downloads intermediate payloads to deploy the BEARDSHELL backdoor.
CERT-UA recommends monitoring network traffic linked to domains “app.koofr[.]net” and “api.icedrive[.]net” to identify potential infections.
Additionally, APT28 exploits multiple security vulnerabilities in outdated Roundcube webmail instances (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) through phishing emails disguised as news articles. These emails contain JavaScript exploits that manipulate mailbox rules, exfiltrate user data, and execute commands on mail servers. Over 40 Ukrainian organizations were targeted, highlighting the widespread nature of these attacks.
What Undercode Say: In-Depth Analysis of the APT28 Campaign
The recent findings from CERT-UA underline a troubling trend in cyber warfare tactics employed by state-sponsored threat actors like APT28. The use of Signal chat messages as a delivery vector is particularly concerning because Signal is widely regarded as a secure, encrypted communication platform. This choice demonstrates APT28’s adaptability in exploiting trusted communication tools to bypass traditional email or network security defenses.
BEARDSHELL’s architecture reveals a modular design focusing on stealth and persistence. Written in C++, it facilitates remote PowerShell execution and data exfiltration via the Icedrive API, an unusual but clever choice that blends legitimate cloud services into the malware’s command-and-control operations. This tactic complicates detection efforts, as network traffic to cloud services often blends into normal organizational traffic.
The combination of BEARDSHELL and COVENANT illustrates a layered approach to infection, beginning with macro-enabled documents—a classic but still effective delivery method—progressing to complex in-memory execution of payloads. This reduces reliance on disk artifacts, making forensic analysis and incident response more challenging.
The exploitation of outdated Roundcube vulnerabilities signals a critical issue in many governmental and organizational networks: lagging software updates and patch management. Attackers repeatedly capitalize on known CVEs, such as CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641, to compromise mail servers and extract sensitive information. The use of cross-site scripting (XSS) and SQL injection exploits in these platforms demonstrates how webmail software, if not properly maintained, becomes a gateway for broader network breaches.
Furthermore, the attackers’ ability to redirect emails, steal address books, and harvest session cookies through sophisticated JavaScript payloads amplifies the potential damage, enabling espionage and lateral movement within networks.
This campaign highlights the importance of multi-layered defense strategies, combining rigorous patch management, network traffic monitoring, user training to resist phishing, and enhanced endpoint detection. Monitoring connections to suspicious domains such as “app.koofr[.]net” and “api.icedrive[.]net” is a practical mitigation step but should be part of a comprehensive threat hunting approach.
In the broader geopolitical context, this cyber campaign underscores ongoing cyber tensions between Ukraine and Russia, with state-backed threat groups intensifying digital offensives targeting critical infrastructure and government entities.
Fact Checker Results ✅❌
✅ CERT-UA confirmed the use of Signal messaging for malware delivery.
✅ BEARDSHELL malware is written in C++ and interacts with the Icedrive API.
✅ Over 40 Ukrainian organizations were targeted through phishing emails exploiting Roundcube vulnerabilities.
Prediction 📈
Given the sophistication and adaptability shown by APT28, we can anticipate an increase in the use of encrypted messaging platforms for malware distribution in future cyber campaigns. State-backed threat actors will likely continue exploiting known software vulnerabilities in widely used webmail systems to gain initial access and escalate attacks. Organizations, especially in geopolitically sensitive regions, must prioritize timely patching, vigilant network monitoring, and user awareness to counter evolving threats. The line between conventional warfare and cyberwarfare will blur further, with cyber operations becoming more targeted, stealthy, and integrated into broader strategic campaigns.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
