APT28 expands cyber ops with cloud C2 tactics

Russian state-backed hacking group APT28 has launched a highly advanced cyber espionage campaign against Ukrainian military personnel, using weaponized Signal chats and a new backdoor called BeardShell, Cyber Press reports.

According to researchers at Sekoia.io, the operation has been active since late 2024 and involves attackers impersonating trusted contacts to share malicious Office documents disguised as administrative forms. Once opened, these files deploy macros that hijack COM objects and deliver payloads through steganographic techniques, extracting shellcode from seemingly legitimate PNG images, a first for APT28.

The attackers also customized the Covenant red-team framework to route encrypted command-and-control traffic through Koofr and Icedrive cloud services, making detection difficult. BeardShell, written in C++, establishes persistence, executes PowerShell commands, and hides files under fake image headers.

Researchers confirmed links to Russia's GRU Unit 26165 and documented 42 compromised hosts with 115 stolen files, including sensitive personnel and drone-related data. The campaign, which continues to evolve, underscores the increasing sophistication of state-sponsored cyber operations.