{ "id": "0f00adf2-ae0e-4282-a21a-31e10dd042bd", "created_at": "2026-04-06T00:19:54.22898Z", "updated_at": "2026-04-10T13:11:52.649917Z", "deleted_at": null, "sha1_hash": "5793ff5e550c80516d5a7c10c2e2c7dc94648ade", "title": "APT28 hackers use Signal chats to launch new malware attacks on Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3931540, "plain_text": "APT28 hackers use Signal chats to launch new malware attacks on\r\nUkraine\r\nBy Bill Toulas\r\nPublished: 2025-06-23 · Archived: 2026-04-05 18:09:20 UTC\r\nThe Russian state-sponsored threat group APT28 is using Signal chats to target government targets in Ukraine with two\r\npreviously undocumented malware families named BeardShell and SlimAgent.\r\nTo be clear, this is not a security issue in Signal. Instead, threat actors are more commonly utilizing the messaging platform\r\nas part of their phishing attacks due to its increased usage by governments worldwide.\r\nThe attacks were first discovered by Ukraine's Computer and Emergency Response (CERT-UA) in March 2024, though\r\nlimited details about the infection vector were uncovered at the time.\r\nhttps://www.bleepingcomputer.com/news/security/apt28-hackers-use-signal-chats-to-launch-new-malware-attacks-on-ukraine/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/apt28-hackers-use-signal-chats-to-launch-new-malware-attacks-on-ukraine/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOver a year later, in May 2025, ESET notified CERT-UA of unauthorized access to a gov.ua email account, prompting a new\r\nincident response.\r\nDuring this new investigation, CERT-UA discovered that messages sent via the encrypted messenger app Signal were used\r\nto deliver a malicious document to targets (Акт.doc), which uses macros to load a memory-resident backdoor called\r\nCovenant.\r\nAPT28 attack via Signal\r\nSource: CERT-UA\r\nCovenant acts as a malware loader, downloading a DLL (PlaySndSrv.dll) and a shellcode-ridden WAV file (sample-03.wav)\r\nthat loads BeardShell, a previously undocumented C++ malware.\r\nFor both the loader and the primary malware payload, persistence is secured via COM-hijacking in the Windows registry.\r\nEstablishing persistence for BeardShell\r\nSource: CERT-UA\r\nBeardShell's main functionality is to download PowerShell scripts, decrypt them using 'chacha20-poly1305', and execute\r\nthem. The execution results are exfiltrated to the command-and-control (C2) server, the communication with which is\r\nfacilitated by Icedrive API.\r\nIn the 2024 attacks, CERT-UA also spotted a screenshot grabber named SlimAgent, which captures screenshots using an\r\narray of Windows API functions (EnumDisplayMonitors, CreateCompatibleDC,  CreateCompatibleBitmap, BitBlt,\r\nGdipSaveImageToStream).\r\nThose images are encrypted using AES and RSA, and stored locally, presumably to be exfiltrated by a separate payload/tool\r\nto APT28's C2 server.\r\nCERT-UA attributes this activity to APT28, which they track as UAC-0001, and recommends that potential targets monitor\r\nnetwork interactions with app.koofr.net and api.icedrive.net.\r\nAPT28 has a long history of targeting Ukraine as well as other key organizations in the U.S. and Europe, primarily for\r\ncyberespionage.\r\nThey are one of Russia's most advanced threat groups, exposed by Volexity in November 2024 for using a novel \"nearest\r\nneighbor\" technique, which remotely breached targets by exploiting nearby Wi-Fi networks. \r\nhttps://www.bleepingcomputer.com/news/security/apt28-hackers-use-signal-chats-to-launch-new-malware-attacks-on-ukraine/\r\nPage 3 of 4\n\nIn 2025, Signal unexpectedly became central to cyberattacks linked to Russia and Ukraine.\r\nThe popular communications platform has been abused in spear-phishing attacks that abused the platform's device-linking\r\nfeature to hijack accounts and in Dark Crystal RAT distribution against key targets in Ukraine.\r\nAt some point, representatives of Ukraine's government expressed disappointment that Signal allegedly stopped\r\ncollaborating with them in their effort to block Russian attacks. Ukrainian officials later voiced frustration over Signal's lack\r\nof cooperation in blocking Russian operations.\r\nHowever, Signal president Meredith Whittaker met that claim with surprise, saying the platform has never shared\r\ncommunication data with Ukraine or any other government.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/apt28-hackers-use-signal-chats-to-launch-new-malware-attacks-on-ukraine/\r\nhttps://www.bleepingcomputer.com/news/security/apt28-hackers-use-signal-chats-to-launch-new-malware-attacks-on-ukraine/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/apt28-hackers-use-signal-chats-to-launch-new-malware-attacks-on-ukraine/" ], "report_names": [ "apt28-hackers-use-signal-chats-to-launch-new-malware-attacks-on-ukraine" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5793ff5e550c80516d5a7c10c2e2c7dc94648ade.pdf", "text": "https://archive.orkl.eu/5793ff5e550c80516d5a7c10c2e2c7dc94648ade.txt", "img": "https://archive.orkl.eu/5793ff5e550c80516d5a7c10c2e2c7dc94648ade.jpg" } }