Following a multi-year period of relying on simpler methods, the Sednit threat group has resumed deploying a custom toolkit in recent cyber espionage campaigns directed at Ukrainian infrastructure.
Security researchers at ESET identified the updated toolset while investigating a 2024 security incident in Ukraine. The investigation revealed the use of a keylogger named SlimAgent, which shares code lineage with older Sednit software from more than a decade ago. Alongside SlimAgent, researchers identified a secondary implant tracked as BeardShell. This tool functions as a PowerShell interpreter, allowing operators to execute commands on compromised systems while utilizing the legitimate cloud storage service Icedrive for command-and-control (C2) communications.
Further analysis showed that Sednit deploys BeardShell in coordination with Covenant, a heavily modified version of an open-source.NET post-compromise framework. Covenant supports more than 90 distinct functions, including data exfiltration, lateral movement, and persistent monitoring. According to the research, Covenant serves as the primary tool for ongoing espionage operations, with BeardShell acting as a redundant fallback to maintain access if defenders detect and remove the primary framework.
For security teams, the primary takeaway is the necessity of adapting network monitoring strategies. The group now combines custom software with legitimate cloud services for C2 traffic, which complicates traditional perimeter defense. Because the threat actor deploys a pair of implants in parallel—each relying on a different cloud provider—remediating an incident requires identifying and blocking both communication channels simultaneously to prevent persistent access.
While the current operations primarily focus on Ukrainian military personnel, the group's targeting could expand depending on geopolitical developments.
Sednit, also tracked by the security community as Fancy Bear, APT28, Forest Blizzard, and Sofacy, has been active since at least 2004. Western intelligence agencies link the group to the Russian military's intelligence directorate. The group has a long history of high-profile targeting, including the Democratic National Committee in 2016, the German Parliament in 2015, the World Anti-Doping Agency, and various global logistics and IT firms.
Historically, Sednit utilized custom backdoors and specialized tools for data collection and lateral movement. Beginning around 2019, the group shifted its methodology, moving away from complex custom software and instead deploying relatively simple scripts via phishing emails. The recent reappearance of proprietary toolkits suggests a deliberate return to active software development. The shared code lineage between SlimAgent and legacy Sednit software indicates that the same development team has maintained and evolved the underlying codebase over time.
BeardShell represents a newly developed implant, though it incorporates an obfuscation technique previously used in Xtunnel, a network-pivoting tool Sednit operated in the 2010s. The integration of Icedrive for BeardShell’s C2 communications demonstrates dedicated engineering effort. Because Icedrive does not offer a public API, the developers reverse-engineered the official client to replicate its communication protocols. When service changes disrupt this access, the group rapidly issues updates to restore functionality.
Meanwhile, Sednit developers have made continuous modifications to the Covenant framework since 2023, tailoring the open-source project to serve as their primary operational tool.
Both BeardShell and Covenant utilize updated custom loading chains, which the developers refresh frequently to evade detection mechanisms. To protect systems from these campaigns, organizations should prioritize defenses against Sednit's initial access methods. The group typically targets personnel through social engineering over messaging platforms like Signal Desktop or WhatsApp Desktop, attempting to persuade users to open trojanized Microsoft Word or Excel documents. In some instances, operators will call their targets directly to establish trust before delivering the malicious files. Strengthening endpoint monitoring and educating users on these specific social engineering patterns remain critical steps in preventing unauthorized access.