Sednit (APT28) has resurfaced with a modern toolkit featuring two primary implants: BeardShell and a heavily modified version of the open-source Covenant framework. This dual-implant strategy, observed primarily in long-term espionage operations against Ukrainian military targets, ensures operational resilience by utilizing different legitimate cloud providers for Command and Control (C2) channels.
Researchers traced these modern tools back to Sednit’s 2010-era arsenal through significant code similarities. SlimAgent, a keylogger deployed in 2024, is an evolution of the group’s flagship Xagent backdoor. Furthermore, BeardShell employs unique "opaque predicate" obfuscation techniques previously found in Xtunnel, confirming a direct lineage in development practices and toolsets spanning over a decade.
Top comments (0)