Threat Intelligence

Sednit Reloaded: How APT28 Rebuilt Its Espionage Toolkit to Target Ukraine

NH
NoHackie
March 2026 14 min read

For several years, one of Russia's most capable state-sponsored hacking groups quietly shelved its custom malware and relied on crude phishing implants. That period of apparent restraint is over. As of April 2024, APT28 — also known as Sednit, Fancy Bear, and Forest Blizzard — has returned to sophisticated, bespoke malware development with a three-component toolkit now actively targeting Ukrainian military personnel.

2004
First known Sednit activity. GRU Unit 26165 (85th GTsSS) establishes initial espionage infrastructure.
2014 – 2016
Peak of custom toolkit era. Xagent, Sedreco, Xtunnel, and Seduploader deployed against NATO governments. German Bundestag breach (2015). DNC hack (2016) — Xtunnel used for network pivoting.
2016 – 2019
Continued high-tempo operations. WADA, OSCE, and European election-adjacent targets. Increased public attribution pressure from EU, US, UK governments.
--- QUIET PERIOD BEGINS ---
2019 – 2023
Custom implant activity drops sharply. Sednit shifts to commodity phishing implants. ESET notes the reason remains unclear — deliberate low-profile posture or operational resource reallocation.
--- QUIET PERIOD ENDS ---
2018 (retroactively confirmed)
SlimAgent samples — confirmed by ESET analysis — silently deployed against two European governmental entities. Not publicly identified until 2026.
2023
Covenant modifications begin. pCloud used as first cloud C2 provider for Sednit's modified Grunt beacon.
April 2024
CERT-UA identifies SlimAgent and BeardShell on a Ukrainian governmental machine — the case that triggers ESET's full investigation. Icedrive introduced as BeardShell's C2 channel.
2024 – mid-2025
Covenant migrates to Koofr for C2. Multiple Sednit-controlled cloud drives contain evidence of compromised machines under surveillance for 6+ months without detection.
June 2025
CERT-UA publicly documents SlimAgent for the first time, though the implant had been active since at least 2018.
July 2025 onward
Covenant's C2 infrastructure migrates to Filen (filen.io). Third cloud provider in the rotation since 2023.
January 2026
Trellix documents APT28 exploiting CVE-2026-21509 (Microsoft Office RCE, CVSS 7.8) in spearphishing campaigns against Ukrainian government entities. CISA adds to Known Exploited Vulnerabilities catalog.
March 10, 2026
ESET publishes "Sednit Reloaded: Back in the Trenches." Full toolkit documented publicly for the first time.

On March 10, 2026, Slovak cybersecurity company ESET published its findings from an investigation that began with a single compromised Ukrainian government machine. What researchers uncovered was far more significant than a routine intrusion — it was evidence of a major threat actor reconstituting its advanced development team and deploying a toolkit with unmistakable code lineage to implants used over a decade ago. The report, titled "Sednit Reloaded: Back in the Trenches," confirmed that APT28's pause in custom malware development was not a retreat. It was a retool.

Who Is Sednit and Why Did It Go Quiet?

Sednit is the name ESET uses for the threat actor most widely known as APT28, Fancy Bear, or Forest Blizzard. The group has been active since at least 2004 and is formally linked — by the U.S. Department of Justice — to Unit 26165 of the GRU, Russia's Main Military Intelligence Directorate. More specifically, it operates out of the GRU's 85th Main Special Service Center (GTsSS). The group's track record includes the 2016 Democratic National Committee hack, the 2015 breach of the German Bundestag, attacks on the World Anti-Doping Agency, and widespread campaigns against European NATO member states and government networks in Poland.

Throughout the 2010s, Sednit operated with a mature custom toolkit: Xagent (a modular backdoor), Sedreco (a second-stage implant), Xtunnel (a network-pivoting tool), and Seduploader (a reconnaissance dropper). These tools were sophisticated, purpose-built, and clearly the product of a well-resourced development team. Then, around 2019, the group's custom implant activity dropped sharply. For reasons ESET says it does not fully understand, Sednit shifted almost entirely to simple, commodity-style phishing implants for the next several years.

"The main takeaway is that Sednit has returned with renewed malware development and is once again running sophisticated cyber-espionage campaigns." — ESET researcher (anonymous), Dark Reading, March 2026

One hypothesis is that the group deliberately reduced its footprint after repeated public exposure of its 2010s toolkit. Another is that operational priorities shifted during Russia's full-scale invasion of Ukraine, demanding speed over sophistication. Whatever the reason, the quiet period ended in 2024.

Analyst context

The quiet period matters strategically. When a sophisticated threat actor goes quiet, the security community stops maintaining detection content for its tools. Defenders downgrade their watch posture. SIEM rules decay. This is precisely the condition Sednit returned to exploit: an abandoned open-source framework that the community had stopped building signatures for, combined with a toolkit whose code lineage to 2010s malware no one was actively tracking.

The Discovery: A Ukrainian Government Machine and a Familiar Fingerprint

The trail began in April 2024, when Ukraine's Computer Emergency Response Team (CERT-UA) identified an espionage implant on a Ukrainian governmental machine. The implant — later named SlimAgent — was capable of logging keystrokes, capturing screenshots, and harvesting clipboard data. It was, on the surface, an unremarkable piece of spyware. But ESET's analysis revealed something more significant underneath.

Researchers found that SlimAgent shared code with previously undiscovered samples deployed as far back as 2018, targeting governmental entities in two European countries. Tracing the code further, they identified direct lineage to Xagent, Sednit's flagship backdoor from the 2010s — particularly its keylogging module. The HTML-based logging format and identical color scheme used to categorize captured data were telltale markers. SlimAgent was not a new tool. It was an evolution of a decade-old one, quietly maintained and redeployed.

What made the 2024 Ukrainian case the starting point of a much larger investigation was not SlimAgent itself — it was what accompanied it. On the same compromised machine, researchers found BeardShell.

The Three-Component Toolkit

The modern Sednit toolkit, as documented by ESET, consists of three components used in a layered, complementary architecture. Each serves a distinct operational purpose, and together they form a surveillance infrastructure designed for long-term persistence and resilience.

SlimAgent: The Keylogger With Deep Roots

SlimAgent handles initial reconnaissance. It captures keystrokes Keylogging, screenshots Screen Capture, and clipboard content Clipboard Data, feeding that data back to the operator. Its code lineage to Xagent — confirmed through structural similarities in the keylogging logic — strongly suggests it was developed by the same team that built Sednit's 2010s toolkit. CERT-UA publicly documented SlimAgent in June 2025. The fact that identical or near-identical samples had been deployed covertly since 2018 indicates the group had been quietly maintaining this component for years before it was detected.

BeardShell: The Primary Custom Implant

BeardShell is the component that most clearly signals Sednit's advanced development team is back. It is written in C++ and executes PowerShell commands within a .NET runtime environment PowerShell. Its command and control channel routes through Icedrive, a legitimate European cloud storage service Cloud C2 — one that does not offer a publicly documented API. This is a critical technical detail: because Icedrive's API is undocumented, Sednit's developers had to reverse-engineer the requests made by the official Icedrive client and reimplement them from scratch inside the malware.

This is not the behavior of a threat actor with diminished capabilities. ESET notes that whenever changes to Icedrive's private API disrupted BeardShell's communications, the developers produced an updated version within hours to restore access. That operational tempo reflects a dedicated, well-resourced team actively maintaining the implant.

BeardShell also carries a distinctive forensic fingerprint: it uses an obfuscation technique called an opaque predicate Obfuscation, which was previously observed in Xtunnel — Sednit's network-pivoting tool used during the 2016 DNC hack. The reuse of this rare technique, combined with BeardShell's co-deployment with SlimAgent, led ESET to assess with high confidence that BeardShell is a Sednit-developed tool. The implant decrypts its PowerShell payloads using ChaCha20-Poly1305, an authenticated encryption algorithm, and transmits results through the same Icedrive channel.

Tool lineage: 2010s toolkit → 2024–2026 toolkit
2010s toolkit 2024–2026 toolkit code evolution Xagent Modular backdoor — keylogging module / HTML log format Xtunnel Network pivot — opaque predicate obfuscation SlimAgent Keylog / screenshot / clipboard confirmed 2018 → 2026+ BeardShell C++ / PowerShell / Icedrive C2 opaque predicate reused keylog code lineage opaque predicate technique
ESET's researchers confirmed that BeardShell shares a rare obfuscation method with Xtunnel, the network-pivoting tool APT28 deployed during the 2016 DNC hack — a finding that, combined with BeardShell's co-deployment alongside SlimAgent, led the team to assess with high confidence that BeardShell is part of Sednit's arsenal. — ESET, "Sednit Reloaded: Back in the Trenches," March 2026

Covenant: An Abandoned Framework, Weaponized

The third component is the most operationally surprising. Covenant is an open-source .NET post-exploitation framework originally released in February 2019. Its official development ceased in April 2021. At the time of its abandonment, it had become largely dormant in the defender community — a tool that security teams were no longer actively building detections for.

Sednit saw that gap and exploited it. Since at least 2023, the group's developers have been making extensive modifications to Covenant to transform it into a primary long-term espionage platform. The changes they introduced include deterministic implant identifiers tied to host characteristics (making each deployment uniquely fingerprinted to the target machine), modified execution flow designed to evade behavioral detection Process Injection, and entirely new cloud-based communication protocols Exfil via Web Service.

The cloud provider rotation for Covenant's C2 channel tells its own story of operational tradecraft. Sednit used pCloud in 2023, then switched to Koofr between 2024 and mid-2025, then migrated to Filen (filen.io) from July 2025 onward. Each migration likely followed increased detection or monitoring of the previous provider. Covenant in its stock form provides over 90 built-in tasks covering data exfiltration, target monitoring, lateral movement Lateral Movement, and network pivoting. Sednit's heavily modified version retains all of that capability while adding the custom cloud C2 infrastructure and evasion improvements.

Analyst context

The cloud provider rotation is an active operational security discipline, not a one-time decision. Moving from pCloud to Koofr to Filen over two years means Sednit has a process for migrating infrastructure when detection risk increases — and a development pipeline capable of redeploying a modified C2 framework on a new provider quickly. For defenders, this implies that burning one C2 channel will not neutralize the campaign. The architecture is designed for rotation.

According to ESET, the extensive modifications Sednit made to Covenant reflect developers who had built genuine mastery of the framework — one that had been dormant long enough that many defenders had stopped maintaining detection content for it. — ESET, "Sednit Reloaded: Back in the Trenches," March 2026

In 2025, analysis of Sednit-controlled Covenant cloud drives revealed compromised machines that had been under active surveillance for more than six months without detection. The operational structure is clear: Covenant is the primary tool, and BeardShell acts as a fallback in the event that Covenant's cloud infrastructure is disrupted or taken down.

The Attack Chain in Practice

Sednit Modern Attack Chain
STAGE 1 Spearphish CVE-2026-21509 STAGE 2 SlimAgent Recon / Keylog STAGE 3 BeardShell C2 via Icedrive STAGE 4 Covenant C2 via Filen / pCloud STAGE 5 Long-Term Surveillance
APT28 / Sednit attack chain — initial access through CVE-2026-21509 leading to layered implant deployment and persistent surveillance of Ukrainian military targets

The infection chain begins with spearphishing emails carrying geopolitically charged themes: transnational weapons smuggling, military training programs, meteorological emergency bulletins. These emails contain weaponized Microsoft Office documents that exploit CVE-2026-21509, a vulnerability in Microsoft Office with a CVSS score of 7.8. This vulnerability triggers malicious code execution as soon as the document is opened — no macros, no additional user interaction required. CERT-UA first reported Sednit exploiting this vulnerability in January 2026.

From there, a multi-stage infection chain unfolds. A malicious LNK (Windows Shortcut) file and a DLL named SimpleLoader are downloaded. SimpleLoader either drops a Visual Basic for Applications (VBA) backdoor called NotDoor — designed to persist inside Microsoft Outlook — or delivers the Covenant Grunt Beacon, which contacts a filen.io endpoint. BeardShell is then delivered as the secondary payload. Researchers from Trellix, who published complementary analysis in February 2026, described the full chain as designed for resilience: encrypted payloads, in-memory execution, process injection, and legitimate cloud services for C2, all working together to minimize forensic artifacts on the target system.

NotDoor: Why Outlook?

NotDoor deserves more attention than a single sentence. It is a VBA-based backdoor that embeds itself into the Microsoft Outlook environment rather than running as a standalone process. When SimpleLoader deploys NotDoor, it registers within Outlook's COM automation interface, meaning the backdoor activates whenever Outlook is open — which, for a military or government employee using their workstation for day-to-day communications, is virtually always.

The choice of Outlook as a host process is not arbitrary. Outlook is a trusted, high-legitimacy application present on nearly every Windows workstation in enterprise and government environments. Security tools that monitor for suspicious child processes or unusual DLL loads from obscure executables are far less likely to flag activity originating inside a process as routine as Outlook. There is also an intelligence collection dimension: a backdoor living inside an email client has native proximity to communications — the same messages, contacts, and attachments that represent the highest-value data on a target machine. ESET documented NotDoor as an alternative payload path rather than a universal deployment; its presence suggests Sednit selects delivery based on what will serve the longest and quietest persistence for a given target profile.

Analyst context

NotDoor represents a different persistence philosophy than COM hijacking. COM hijacking is durable and hard to remove; NotDoor is stealthy and contextually appropriate — it looks like Outlook behaving normally. Together with the COM hijacking used by BeardShell and SlimAgent, Sednit is deploying multiple distinct persistence mechanisms on the same target. Remediating one does not address the others. Incident response on a confirmed Sednit infection needs to treat every persistence vector — COM registrations, Outlook automation hooks, scheduled tasks, and registry run keys — as potentially populated before the system can be declared clean.

Note

CVE-2026-21509 affects Microsoft Office and carries a CVSS base score of 7.8 (High). It is listed as actively exploited in the CISA Known Exploited Vulnerabilities catalog. Patches should be applied immediately. The initial access vector is currently unconfirmed in the April 2024 incident, but subsequent campaigns in January 2026 have been confirmed to use this vulnerability via malicious DOC files.

An open question worth asking

The initial access vector for the April 2024 Ukrainian government compromise — the case that started this entire investigation — remains unconfirmed. That is not a minor detail. If the entry point was not CVE-2026-21509 (which CERT-UA only confirmed in January 2026 campaigns), then Sednit had a different initial access capability in April 2024 that has not been publicly attributed. Two possibilities follow from this. Either the group used a vulnerability or technique that ESET was unable to trace from forensic evidence on the compromised machine, or they used a capability they have deliberately kept out of the lure-document pattern that makes CVE campaigns traceable. For defenders, this uncertainty is operationally significant: patching CVE-2026-21509 addresses the confirmed 2026 attack vector, but it does not guarantee protection against the mechanism responsible for the 2024 initial breach.

Persistence is established through COM object hijacking COM Hijacking — a technique that embeds malicious code into Windows Component Object Model registrations, making it difficult to remove without a full system reimage. ESET notes that both BeardShell and SlimAgent establish deep persistence via this method, meaning simple file deletion is insufficient for remediation. Affected endpoints should be fully reimaged.

Analyst context

COM hijacking as the persistence mechanism for both tools is a deliberate architectural choice. It ensures that incident responders who delete malicious files but do not audit COM registrations will believe the threat is resolved while the implant continues to execute. The dual-implant structure — Covenant as primary, BeardShell as backup — means that even if defenders find and remove one, the other continues operating from a separate cloud provider. Full remediation requires reimaging, COM registration auditing, and cloud storage API traffic review across all affected hosts.

What Makes This Resurgence Different

The most analytically significant aspect of this resurgence is not the capability of any individual tool — it is what the toolkit as a whole reveals about the group's posture and developmental continuity.

The code lineage is deliberate and traceable. SlimAgent connects back to Xagent. BeardShell's opaque predicate obfuscation connects back to Xtunnel. These are not coincidental overlaps — they represent the same development team, or at minimum a team with direct access to the 2010s codebase, extending and modernizing it rather than starting from scratch. This continuity has significant attribution implications: it makes Sednit's fingerprint persistent across decades of activity, giving researchers a reliable forensic thread to follow.

The cloud C2 strategy is equally significant. By routing all malicious communications through legitimate consumer cloud services — Icedrive, Filen, pCloud, Koofr — Sednit ensures that its traffic is indistinguishable from normal business activity at the network level. An organization monitoring outbound traffic for known malicious IPs or domains will see nothing suspicious. Detection requires behavioral analytics: identifying anomalous PowerShell execution patterns, unexpected .NET assembly loading, or unusual patterns of access to cloud storage APIs from processes that should not be making those calls.

The choice to weaponize an abandoned open-source framework rather than build a new one from scratch is also tactically rational. Covenant's official development ended in 2021. Detection content for it — SIEM rules, EDR signatures, YARA rules — has not been actively maintained by the broader security community. By deeply modifying an under-monitored tool and routing its traffic through legitimate cloud providers, Sednit effectively achieved near-invisibility against defenders who had not considered a revived Covenant a credible threat vector.

ESET's March 2026 report confirmed that Sednit's advanced development team had resumed operations, building a modern toolkit around BeardShell and Covenant — each routing through a separate cloud provider for operational resilience. The dual-implant architecture supported sustained surveillance of Ukrainian military personnel, and the current tools carry direct code lineage back to the group's 2010-era implants. — ESET Research, "Sednit Reloaded: Back in the Trenches," March 2026

The operational results speak for themselves. By 2025, ESET's analysis of Sednit-controlled Covenant cloud drives confirmed machines that had been under active, undetected surveillance for more than six months. These were not brief intrusions — they were long-term intelligence collection operations running continuously inside high-value targets.

What Was Being Collected — and Why Six Months Matters

The article record tends to describe these operations in terms of technical capability — what the tools can do — without pausing on what six or more months of undetected access to Ukrainian military personnel's workstations actually yields. SlimAgent's collection profile gives a partial answer: keystrokes, screenshots, and clipboard data. Over the span of half a year, that means every credential entered, every document drafted, every communication copied and pasted, and every internal interface the target logged into. Covenant's 90-plus built-in tasks extend that picture considerably, covering file exfiltration, network discovery, and lateral movement. The intelligence collection objective, consistent with GRU Unit 26165's historical focus on military operations intelligence, is almost certainly order-of-battle data — unit dispositions, logistics chains, personnel movements, and operational planning documents. The duration matters because this is not a smash-and-grab. The implants were left running because sustained access to a specific person's machine over months yields far more usable intelligence than a rapid extraction.

Analyst context

Intelligence services do not maintain six-month implants on targets unless the ongoing access is producing collection that justifies the operational risk. For the GRU, that collection likely feeds directly into targeting decisions and battlefield planning. This is not espionage for strategic intelligence — it is tactical intelligence collection in support of an active war. Understanding that framing changes how defenders in Ukrainian government and military organizations should prioritize remediation: a confirmed Sednit infection is not a cybersecurity incident to be processed through a standard IR workflow. It is an active intelligence breach with operational consequences that extend well beyond the compromised endpoint.

Beyond Ukraine: A Broader Targeting Footprint

The article's focus on Ukrainian military targets reflects where the most detailed ESET findings are concentrated, but Sednit's current operational scope extends further. Complementary research published in early 2026 documented a related APT28 campaign exploiting Microsoft Office vulnerabilities against maritime transportation, diplomatic, and government entities in Poland, Slovenia, Turkey, Greece, and the United Arab Emirates. Germany summoned Russia's ambassador in December 2025 following attribution of a cyberattack on its air traffic control authority to APT28. These incidents share the group's characteristic use of geopolitically tailored lures and legitimate cloud infrastructure. The toolkit may not be identical across all campaigns — ESET's analysis focuses on the BeardShell and Covenant cluster — but the operational pattern is consistent: long-duration access, cloud-based C2, and targets connected to European security and NATO-adjacent military logistics. Organizations that do not have direct Ukraine-facing roles but operate in defense, transportation, or diplomatic sectors across NATO member states should not self-exclude from this threat picture.

  1. Patch CVE-2026-21509 immediately. This Microsoft Office vulnerability (CVSS 7.8, actively exploited) is the confirmed initial access vector for January 2026 Sednit campaigns. It requires no macro interaction — opening the document is sufficient to trigger execution. It is listed in the CISA KEV catalog.
  2. Do not assume abandoned open-source tools are low risk. Covenant's official development ended in 2021. Sednit has been using a heavily modified version as its primary espionage platform for several years. Detection content for deprecated tools requires active maintenance.
  3. Behavioral detection is required — network-layer monitoring is insufficient. All of Sednit's C2 traffic routes through legitimate cloud storage services. Traditional perimeter controls and signature-based tools will not flag this traffic. SIEM alerts for anomalous PowerShell execution from injected .NET assemblies, unexpected COM object registrations, and unusual cloud storage API calls from non-browser processes are necessary. Specifically: look for processes other than browsers and cloud-sync clients calling Icedrive, Filen, pCloud, or Koofr APIs — and examine those calls for volume anomalies and timing patterns consistent with beaconing intervals rather than user-driven activity.
  4. Audit for NotDoor and Outlook persistence specifically. SimpleLoader deploys NotDoor as an alternative payload, embedding a VBA-based backdoor inside Microsoft Outlook's COM automation interface. Standard EDR heuristics focused on child processes and standalone executables may not flag this. Add Outlook COM object registrations to your persistence auditing checklist alongside standard run key and scheduled task reviews.
  5. Reimage, do not remediate. BeardShell and SlimAgent establish persistence via COM hijacking. File deletion and standard AV removal are insufficient. Confirmed infections should result in full system reimaging.
  6. Treat code lineage as an attribution signal. The opaque predicate technique shared between BeardShell and Xtunnel, and the structural code similarities between SlimAgent and Xagent, are concrete forensic indicators. If these are found in your environment, attribution to Sednit should be assessed with high confidence.
  7. Expand your threat scope beyond direct Ukraine adjacency. APT28 campaigns in the 2025–2026 period have targeted maritime transportation, diplomatic entities, and government networks in Germany, Poland, Slovenia, Turkey, Greece, and the UAE. If your organization operates in any NATO-adjacent sector — defense, critical infrastructure, transport, or government — the relevant question is not whether you are targeted, but whether your detection posture would identify this activity before month six.

The reemergence of Sednit's advanced development team is a meaningful shift in the threat landscape. For years, the group demonstrated that it could conduct impactful espionage operations with relatively simple tools. Its return to sophisticated, custom-developed malware signals an escalation — one with documented results against Ukrainian military targets and a technical architecture specifically designed to defeat traditional defenses. The targeting scope is not limited to Ukraine: European governments, military-adjacent infrastructure, and diplomatic networks across NATO member states are all documented within APT28's current operational footprint. Organizations in any of those sectors should treat this threat as active, maintain detection content for deprecated tools, and ask themselves directly whether their current posture would surface an intrusion that has been running quietly for six months.

Related threat context

Sources

  1. ESET Research. "Sednit Reloaded: Back in the Trenches." WeLiveSecurity, March 10, 2026. welivesecurity.com
  2. ESET. "ESET Research: One of Russia's most notorious groups, Sednit, resurges with spyware in Ukraine." Press Release, March 10, 2026. eset.com
  3. Toulas, Bill. "APT28 hackers deploy customized variant of Covenant open-source tool." BleepingComputer, March 10, 2026. bleepingcomputer.com
  4. The Hacker News. "APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military." March 10, 2026. thehackernews.com
  5. Kovacs, Eduard. "Russian Military Hackers Revive Advanced Malware to Spy on Ukraine." The Record from Recorded Future News, March 10, 2026. therecord.media
  6. Paganini, Pierluigi. "APT28 conducts long-term espionage on Ukrainian forces using custom malware." Security Affairs, March 10, 2026. securityaffairs.com
  7. Aitken, Rob. "Russian Threat Actor Sednit Resurfaces With Sophisticated Toolkit." Dark Reading, March 2026. darkreading.com
  8. Trellix Research. "APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks." The Hacker News, February 4, 2026. thehackernews.com
  9. Help Net Security. "This spy tool has been quietly stealing data for years." March 10, 2026. helpnetsecurity.com
← all articles