APT28 Leverages Signal Chat to Spread BEARDSHELL Malware in Ukraine

Essential Insights

1. New Cyber Threat: Ukraine’s CERT-UA reports a cyber attack campaign by the Russia-linked APT28, utilizing Signal messages to disseminate malware families BEARDSHELL and COVENANT.

2. BEARDSHELL Functionality: The C++-based BEARDSHELL malware can execute PowerShell scripts and send outcomes back to remote servers via Icedrive API, first identified in early 2024 alongside the SLIMAGENT screenshot tool.

3. Infection Methodology: APT28 is targeting victims with Signal messages containing a macro-enabled Word document that installs malicious components, including a DLL and engineered PNG file to execute the COVENANT malware framework.

4. Phishing Campaign Details: CERT-UA also revealed a broader phishing operation exploiting vulnerabilities in Roundcube webmail, sending emails loaded with harmful JavaScript designed to compromise email security across over 40 Ukrainian organizations.

Underlying Problem

On June 24, 2025, the Computer Emergency Response Team of Ukraine (CERT-UA) issued a chilling warning regarding a sophisticated cyberattack orchestrated by Russian-linked threat actors known as APT28 (or UAC-0001). This campaign employs innovative tactics such as leveraging Signal chat messages to disseminate two newly identified malware families: BEARDSHELL and COVENANT. BEARDSHELL, a C++-based malware, facilitates the downloading and execution of PowerShell scripts while relaying results back to a remote server via the Icedrive API. The threat actors initially surfaced in incident response efforts in early 2024, with further intelligence revealing unauthorized access to Ukrainian government email accounts, indicating a deliberate breach aimed at critical state infrastructure.

In an intricate play of deception, the attackers are reportedly sending macro-laden Microsoft Word documents disguised as benign communications, which, upon execution, introduce malicious components—specifically a DLL and an image file—ensuring persistent access to the compromised systems. This breach aligns with previous phishing attempts aiming at vulnerabilities within various webmail platforms like Roundcube; these attempts directly target Ukrainian governmental organizations, utilizing cleverly crafted content to exploit HTML and JavaScript vulnerabilities. CERT-UA’s advisory emphasizes vigilance in monitoring anomalous network traffic associated with specific remote domains, a necessary step in counteracting this escalating cyber threat landscape.

What’s at Stake?

The recent cyber attack orchestrated by the Russia-linked APT28 group poses significant risks not only to the immediate targets, such as Ukrainian government entities, but also to other businesses, users, and organizations that may find themselves ensnared in the ramifications of these breaches. The utilization of malware families like BEARDSHELL and COVENANT through seemingly benign channels like Signal chat messages underscores a sophisticated approach to exploiting vulnerabilities across multiple platforms. This incident could lead to a ripple effect: if interconnected systems within industries or supply chains are compromised, they may suffer from unauthorized access, data exfiltration, or operational disruptions. Moreover, the pervasive nature of such attacks raises alarming concerns over privacy and trust, as users may unknowingly become vectors for future breaches by opening infected documents or fall victim to phishing schemes that leverage the same tactics against other organizations. The potential for extensive collateral damage necessitates robust cybersecurity protocols and vigilance to mitigate the overarching threat and safeguard the integrity of interconnected digital ecosystems.

Possible Actions

The urgency of prompt action in cybersecurity cannot be overstated, especially when sophisticated threats like APT28’s deployment of BEARDSHELL malware and COVENANT in Ukraine are at play.

Mitigation Steps

1. Network Segmentation: Isolate critical systems.
2. User Education: Train end-users on phishing awareness.
3. Threat Intelligence: Leverage updated threat data.
4. Incident Response Plan: Develop and regularly test a response strategy.
5. Regular Updates: Ensure all software is patched promptly.
6. Traffic Analysis: Monitor network anomalies for early detection.
7. Endpoint Security: Implement advanced anti-malware solutions.
8. Access Controls: Enforce strict user permissions.

NIST CSF Guidance
NIST CSF emphasizes the need for continuous identification, detection, and response strategies against threats. Specifically, refer to NIST SP 800-53 for detailed guidelines on security and privacy controls that can assist in mitigating advanced persistent threats effectively.

Continue Your Cyber Journey

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1