APT28, also known as Fancy Bear, is a Russian state-sponsored threat group attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. The group is estimated to have been in operation since 2004, according to MITRE. It presents a continual and persistent threat to organizations internationally. Until now, its primary targets have been aerospace, energy, defense, government, dissidents, and the media. It uses a cross-platform implant.
APT28’s current strategy is not due to a vulnerability or security flaw in Signal itself, but the threat actors are leveraging it as part of their phishing tactics, as it is widely used by governments across the world.
Let’s take a deeper look at APT28 and its new tactics.
Recent APT28 Activity
The group’s recent activity was first detected by Ukraine’s Computer and Emergency Response (CERTA-UA) in April-March 2024, when two new malware families were discovered, named BeardShell and SlimAgent. Little was known about the infection chain or vector at the time.
Then, in May 2025, over a year later, ESET notified CERT-US of unapproved access to a gov.ua email account. This activity prompted a new incident response. The investigation into the incident revealed that BeardShell and a component of the Covenant framework were used.
CERT-US noted that the threat actors had excellent knowledge of the individual they targeted and the organization.
Other attacks were cited by the Google Threat Intelligence Group as escalating campaigns carried out by multiple threat actors aligned with Russia. These campaigns targeted users of Signal Messenger by employing a sophisticated exploitation of the “linked devices” feature of the messaging app.
For the most part, these attacks were directed at members of the Ukrainian military, activists, officials from the government, and journalists. The objective of the attackers was to achieve persistent access to encrypted communications in the midst of the ongoing conflict that is taking place between Russia and Ukraine.
Signal Messenger Attack Breakdown
Initially, the details about what the hackers shared weren’t clear, but security analysts suggest that it was related to a report from the Slovak security company released in May 2025 that shared details about APT28’s exploitation of cross-site scripting (XSS) vulnerabilities in webmail platforms such as Horde, Roundcube, Zimbra, and MDaemon, which was used to breach several Ukrainian government entities.
Security analysts also uncovered more about the 2024 attacks and the presence of the malware family, BeardShell, and a malware framework called COVENANT.
The new investigation by CERTA-UA revealed that messages were originating from the Signal app, conveying malicious documents to the targeted victims (AKT.doc) that contain macros that drop two payloads:
- A DLL (dynamic link library) named ‘
ctec.dll’ - An image file named ‘
windows.png’
After that, the macro makes a change to the Windows registry to make the DLL file run whenever the device’s File Explorer is opened. The DLL then loads the shellcode from the image file and launches the COVENANT framework directly in memory.
Additionally, once COVENANT has been activated, it will download the additional payloads that are necessary to activate the BEARDSHELL backdoor. This will allow for complete remote access to the compromised system.
The “BeardShell” Malware Component
Once Covenant is activated, the system loads additional payloads, including a WAV file embedded with shellcode that deploys BeardShell and a dynamic link library.
The BeardShell malware is written in C++. It will retrieve and run encrypted PowerShell scripts by design and send its execution logs to a command-and-control (C2) server that is controlled by the threat actors through the Icedrive API. The BeardShell malware will persist on the compromised devices using COM-hijacking tactics with the Windows registry, allowing it to maintain its control even following reboots or system updates.
The “SlimAgent” Malware Component
SlimAgent is the second piece of malware discovered from earlier attacks. The malware specializes in secretly capturing screenshots using the native APIs found in Windows. It uses locally stored RSA and AES algorithms to encrypt the images captured. Experts suspect that another malicious module may exploit this process in the future.
As far as security analysts are concerned, the combination of the two families of malware appears to constitute a multi-layered surveillance strategy. BeardShell serves as a command execution engine, and SlimAgent functions as a passive observer, according to their assertions. The objective is to collect intelligence.
Defensive Measures and Mitigating APT28/Fancy Bear
In order for organizations to effectively defend themselves against the attacks carried out by APT28/Fancy Bear, it is essential for them to prioritize the implementation of robust cybersecurity measures. Endpoint detection and response (EDR), security information and event management (SIEM), and security orchestration, automation, and response (SOAR) systems should be accorded a high level of importance by organizations. Furthermore, it is of the utmost importance for these organizations to provide their employees with training on how to identify phishing attempts, ensure that patches are applied on a regular basis, and implement MFA (multifactor authentication).
CERT-UA recommends that organizations monitor suspicious traffic involving the following domains:
- app.koofr[.]net
- api.ocedrove[.]net
The use of these strategies, in conjunction with defensive measures, will assist in lowering the likelihood of data exfiltration and infection incidents. The removal of vulnerable plugins, the immediate installation of updates to webmail platforms, and the disablement of macros to the greatest extent possible are all additional recommendations for security teams.
Why It’s Critical Now
Recent events concerning the use of Signal, which is generally considered to be a secure messaging app with high ratings for privacy, is a trend that is both disturbing and a shift in the strategies that are employed by advanced persistent threats (APTs). Together, macro-enabled macros and living-off-the-land techniques are used in conjunction with phishing attacks that are specifically directed at particular individuals.
In the constantly shifting landscape of cybersecurity threats that we are confronted with today, this is a reflection of the adaptability of modern nation-state threat actors.