Sednit reloaded: Again within the trenches

Since April 2024, Sednit’s superior improvement staff has reemerged with a contemporary toolkit centered on two paired implants, BeardShell and Covenant, every utilizing a unique cloud supplier for resilience. This twin‑implant strategy enabled lengthy‑time period surveillance of Ukrainian army personnel. Curiously, these present toolsets present a direct code lineage to the group’s 2010‑period implants.

Key factors of this blogpost:

• ESET researchers traced the reactivation of Sednit’s superior implant staff to a 2024 case in Ukraine, the place a keylogger named SlimAgent was deployed.
• SlimAgent code was derived from Xagent, Sednit’s flagship backdoor from the 2010s.
• Throughout that operation, BeardShell, a second Sednit‑developed implant, was deployed. It executes PowerShell instructions by way of a reliable cloud supplier used as its C&C channel.
• BeardShell makes use of a particular obfuscation approach additionally present in Xtunnel, Sednit’s community‑pivoting device from the 2010s.
• Throughout 2025 and 2026, Sednit repeatedly deployed BeardShell along with Covenant, a 3rd main piece of its trendy toolkit.
• Sednit closely reworked this open‑supply implant to help lengthy‑time period espionage and to implement a brand new community protocol based mostly on yet one more reliable cloud supplier.

Sednit profile

The Sednit group – also called APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been working since at the least 2004. The US Division of Justice named the group as a type of chargeable for the Democratic Nationwide Committee (DNC) hack simply earlier than the 2016 US elections and linked the group to Unit 26165 of the GRU, a Russian Federation intelligence company throughout the Primary Intelligence Directorate of the Russian army. The group can also be presumed to be behind the hacking of worldwide tv community TV5Monde, the World Anti-Doping Company (WADA) e mail leak, and plenty of different incidents.

What grew to become of Sednit’s superior implant staff?

The Sednit group is arguably one of many APT teams with probably the most spectacular file of compromised targets. Notable amongst its recognized compromises are the German parliament (2015), the French tv community TV5Monde (2015), and the United States Democratic Nationwide Committee (2016).

Throughout these years of high-profile assaults, Sednit relied on an in depth set of customized implants, starting from full-fledged espionage backdoors resembling Xagent and Sedreco, to specialised toolkits such because the network-pivoting device Xtunnel and the information stealer for air-gapped machines USBStealer. In 2016, we extensively documented this subtle arsenal in our white paper En Route with Sednit.

Nevertheless, in 2019, a shift occurred. Since then, and till not too long ago, Sednit’s high-end implants have not often been noticed within the wild (with only some exceptions, such because the Graphite malware documented by Trellix in 2021), whereas the group concurrently ramped up its phishing operations. The customized malware utilized in these phishing assaults consisted principally of straightforward script-based implants. The explanations behind that technical shift stay a thriller to us.

This blogpost paperwork the reappearance of Sednit’s high-end customized arsenal since 2024. Right here we give attention to attributing its trendy toolsets, as prior publications by CERT-UA and Sekoia have lined their inside workings.

A boutique developer store

Sednit maintains in-house improvement of its espionage implants, a particular trait that helps an attribution strategy based mostly on shared code artifacts.

For example this functionality, take into account Xagent, the group’s flagship backdoor in the course of the 2010s. In 2015, we discovered the Xagent supply code on a Linux server in Ukraine, left in an unprotected archive after the attackers had compiled it. Determine 1 exhibits that plugins and C&C channels had been enabled or disabled by commenting code in or out – chosen per goal in accordance with operational necessities – leaving little doubt that builders and operators labored in shut coordination.

As well as, the 2018 US DOJ indictment explicitly states that Xagent was developed in-house, accusing particular members of GRU Unit 26165 of being its builders.

On this blogpost, we leverage that improvement footprint as an attribution mechanism. By monitoring shared code artifacts throughout completely different implants, we hyperlink the group’s 2010-era toolsets to these at present in use.

SlimAgent

Our account of recent Sednit actions begins with SlimAgent, an espionage implant found on a Ukrainian governmental machine by CERT-UA in April 2024. SlimAgent is an easy but environment friendly spying device able to logging keystrokes, capturing screenshots, and gathering clipboard knowledge.

Ancestors

Curiously, we recognized in ESET telemetry beforehand unknown samples with code just like SlimAgent, which had been deployed as early as 2018 – six years earlier than the Ukrainian case – in opposition to governmental entities in two European nations. These samples exhibit sturdy code-level similarities with SlimAgent, together with an an identical six-step data-collection loop, proven in Determine 2. Every step is applied in a virtually an identical method, as illustrated in Determine 3 with the routine chargeable for logging the foreground window’s executable; the one variations lie within the format of the interior knowledge buildings.

SlimAgent contains a number of options that had been absent from the 2018 samples, resembling encryption of the collected logs. However, it’s outstanding that samples deployed six years aside exhibit such sturdy code similarities.

We subsequently assess with excessive confidence that each the 2018 samples and the 2024 SlimAgent pattern had been constructed from the identical codebase. The remaining query is: the place did the 2018 samples originate?

An notorious lineage

The 2018 samples have an inside title which will resonate with fellow analysts: RemoteKeyLogger.dll. That is the title of the keylogging module of Xagent, Sednit’s flagship espionage backdoor from 2012 to 2018 (documented in our white paper En Route with Sednit).

Digging into some previous Xagent samples (e.g., SHA-1: D0DB619A7A160949528D46D20FC0151BF9775C32), we had been certainly capable of finding some hanging similarities, such because the one proven in Determine 4. On this code, the keylogging logic is executed provided that the mouse cursor has not moved greater than 10 pixels (by evaluating the sq. of the gap between the final and the present place with 0x64, i.e., 100), and it’s applied with the identical API calls.

As one other instance, SlimAgent emits its espionage logs within the HTML format, with the appliance title, the logged keystrokes, and the window title in blue, pink, and inexperienced, respectively. Determine 5 exhibits an instance generated whereas typing and copying textual content in a newly created TXT file utilizing notepad.exe. The Xagent keylogger additionally produces HTML logs utilizing the identical shade scheme. That is illustrated in Determine 6 with the definition of the corresponding shade HTML tags within the 2015 Xagent supply code.

Primarily based on these similarities, we consider that SlimAgent is an evolution of the Xagent keylogger module, which has been deployed as a standalone part since at the least 2018. Furthermore, as a result of Xagent is a customized toolset used completely by the Sednit group for greater than six years, we attribute SlimAgent to Sednit with excessive confidence.

This raises a query: why would Sednit reuse an implant derived from such a widely known codebase? One doable clarification is diminished improvement capability. Nevertheless, SlimAgent was not the one implant discovered on the Ukrainian machine in 2024; BeardShell – a way more latest addition to Sednit’s customized arsenal – was deployed there as effectively.

BeardShell

BeardShell is a classy implant able to executing PowerShell instructions inside a .NET runtime atmosphere, whereas leveraging the reliable cloud storage service Icedrive as its C&C channel.

This part bears the marks of intense improvement efforts and is the first motive we consider that Sednit’s superior improvement staff is as soon as once more lively. For instance, as a result of Icedrive doesn’t present a publicly documented API, the builders reimplemented the requests made by the official Icedrive shopper. Each time modifications to Icedrive’s non-public API disrupt BeardShell communications, Sednit builders produce an up to date model inside hours to revive entry.

A mathematical blast from the previous

Whereas we couldn’t discover different malware households instantly associated to BeardShell, we uncovered a stunning similarity with previous Sednit tooling, beginning with a C++ static initializer executed on the very begin of BeardShell. This routine’s goal, whose code is proven in Determine 7, is to decrypt the authentication token for the Icedrive cloud storage.

The routine accommodates a textbook instance of the obfuscation approach referred to as opaque predicate insertion (highlighted within the pink field in Determine 7):

• An arithmetic expression evaluating to zero for all doable inputs – named x and y in Determine 7 – is used as a situation for a whereas loop. In observe, the loop physique is rarely executed, as a result of the predicate 2 (x² + 1) + 2 = y² + 5 has no integer answer.
• The physique of this synthetic loop consists of two unique directions (proven within the yellow field in Determine 7), plus a dummy replace of the enter variable y to imitate an actual loop physique construction.
• Following the pretend loop are the 2 unique directions that will likely be executed: a name to the Icedrive token decryption routine and the registration of a cleaner routine.

Opaque predicates are sometimes used to hinder static evaluation however usually are not notably helpful in such a small routine. Word that different BeardShell static initializers – which aren’t dealing with necessary knowledge – are protected with the identical approach, so evidently the builders merely utilized the safety to all of them indiscriminately.

Now, the predicate components might be simplified as (by subtracting 2 on either side) 2 (x² + 1) = y² + 3 . Curiously, that similar opaque predicate was utilized in Xtunnel, a network-pivoting device used completely by Sednit, from 2013 to 2016, and documented in our white paper En Route with Sednit. Determine 8 exhibits an instance of obfuscated code from Xtunnel (SHA-1: 99B454262DC26B081600E844371982A49D334E5E), with an if assertion whose predicate can’t be true.

Not solely is the predicate an identical to the one utilized in BeardShell, however the never-executed block is constructed in a similar way, by duplicating the 2 unique directions (within the yellow field) and doing a dummy replace of one of many predicate inputs (right here, x).

To one of the best of our data, this opaque predicate has not been noticed wherever else besides in Xtunnel. One may even marvel if it couldn’t have been used as a false flag, particularly because it was publicly talked about as being distinctive to Xtunnel, for instance in a BlackHat Europe 2016 presentation. However, a false flag operation would have doubtless used the an identical predicate, not the variant with +2 on either side of the equation.

The shared use of this uncommon obfuscation approach, mixed with its co‑location with SlimAgent, leads us to evaluate with excessive confidence that BeardShell is a part of Sednit’s customized arsenal.

For the reason that preliminary 2024 case, Sednit has continued deploying BeardShell by way of 2025 and into 2026, primarily in long-term espionage operations concentrating on Ukrainian army personnel. To take care of persistent entry to those high-value targets, Sednit systematically deploys one other implant alongside BeardShell: Covenant, the ultimate part of its trendy arsenal.

Covenant

Covenant is an open-source .NET submit exploitation framework first launched in February 2019. It allows the creation and administration of .NET implants by way of a web-based dashboard – see the instance in Determine 9 – and supplies over 90 built-in duties, supporting capabilities resembling knowledge exfiltration, goal monitoring, and community pivoting.

Since 2023, Sednit builders have made a variety of modifications and experiments with Covenant to determine it as their major espionage implant, retaining BeardShell primarily as a fallback in case Covenant encounters operational points, such because the takedown of its cloud-based infrastructure.

For instance, Sednit changed Covenant’s unique implant name-generation mechanism with a deterministic technique (see Determine 10), producing identifiers derived from machine traits fairly than producing a brand new random worth at every execution (see the Identify column within the Grunts part in Determine 9). This modification illustrates how Sednit tailored Covenant for long-term espionage fairly than for short-term, post-exploitation exercise: in lengthy‑operating operations, having the identical machine seem below completely different identifiers after every reboot would muddle the dashboard and scale back operational effectivity.

Sednit additionally modified Covenant’s execution movement, which is a two-stage implant, in all probability to keep away from behavioral detection. As an alternative of getting the first-stage downloader invoke the primary technique of the second-stage .NET meeting utilizing a hard and fast index (as initially applied), they launched a DisplayName attribute and iterated over technique attributes to search out the entry level. In early 2023 variants, Sednit builders even experimented with embedding each levels right into a single binary.

Covenant formally helps solely HTTP and SMB, which ends up in Sednit’s most vital Covenant modification: the addition of a cloud-based community protocol. To realize this, Sednit builders leveraged the C2Bridge undertaking, a standalone framework created by Covenant’s unique writer to facilitate integration of recent communication protocols. With C2Bridge, builders want solely implement a category conforming to the IMessenger interface on the implant facet, offering Learn and Write strategies to handle low-level communications. C2Bridge can then run as a standalone part on the controller to relay messages, whereas new implants created by the controller use the applied communication strategies.

Determine 11 exhibits the lessons launched by Sednit builders to speak with the Filen cloud supplier, used since July 2025. The FilenMessenger class implements IMessenger and depends on FilenClient to work together with the Filen API. Beforehand, in 2023, Sednit’s Covenant abused the reliable cloud service pCloud, and in 2024–2025, Koofr, utilizing comparable implementations.

These variations present that Sednit builders acquired deep experience in Covenant – an implant whose official improvement ceased in April 2021 and should have been thought-about unused by defenders. This stunning operational alternative seems to have paid off: Sednit has efficiently relied on Covenant for a number of years, notably in opposition to chosen targets in Ukraine. For example, in 2025, our evaluation of Sednit-controlled Covenant cloud drives revealed machines that had been monitored for greater than six months. In January 2026, Sednit additionally deployed Covenant in a collection of spearphishing campaigns exploiting the CVE-2026-21509 vulnerability, as reported by CERT‑UA.

Conclusion

On this blogpost, we’ve got proven that Sednit’s superior improvement staff is lively as soon as once more, working an arsenal centered on two implants – BeardShell and Covenant – deployed in tandem and every leveraging a unique cloud supplier. This setup allows operators to reestablish entry shortly if the infrastructure for one is taken down. We consider that this dual-implant technique shouldn’t be new. For instance, within the 2021 marketing campaign documented by Trellix, Sednit deployed two implants in parallel: Graphite, which used OneDrive as its C&C channel, and PowerShell Empire, which relied on separate devoted infrastructure.

The sophistication of BeardShell and the intensive modifications made to Covenant display that Sednit’s builders stay totally able to producing superior customized implants. Moreover, the shared code and methods linking these instruments to their 2010-era predecessors strongly counsel continuity throughout the improvement staff.

This raises the query of what these builders had been doing throughout all these years, when the safety group primarily noticed phishing exercise from Sednit. One chance is that superior improvement efforts had been reactivated following the Russian invasion of Ukraine. One other is that they by no means stopped working, however as an alternative grew to become extra cautious.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis presents non-public APT intelligence studies and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

Recordsdata

A complete record of indicators of compromise (IoCs) and samples might be present in our GitHub repository.

MITRE ATT&CK methods

This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.