BEARDSHELL
BeardShell is a custom C++ backdoor/implant attributed with high confidence to Sednit/APT28 (Fancy Bear, Sofacy, Forest Blizzard), a GRU-linked Russian state-sponsored threat actor. It has been observed since at least April 2024 and was used through 2025 and into 2026 in long-term cyber-espionage operations, especially against Ukrainian military personnel, as well as Ukrainian governmental entities, drone manufacturers, and organizations involved in drone research and development.
The malware is described as a sophisticated implant that executes PowerShell commands on compromised Windows systems, including within a .NET runtime environment. Multiple reports state it retrieves, decrypts, and executes PowerShell payloads and returns execution results to the operator. BeardShell uses legitimate cloud storage as its command-and-control channel, most consistently Icedrive; some reporting also describes it more generically as using cloud storage APIs as its command channel. ESET reported that Icedrive has no public API and that the operators reimplemented the private protocol used by the official client. BeardShell communications have been described as using HTTPS and ChaCha20-Poly1305 layered on top of TLS.
BeardShell has been deployed as part of layered post-exploitation chains and alongside other Sednit tooling, especially the heavily modified Covenant implant and, in related operations, SlimAgent and NotDoor. ESET assessed Covenant serves as Sednit’s primary espionage implant while BeardShell acts as a fallback or is used to redeploy Covenant, with the dual-implant approach improving resilience through separate cloud-based C2 channels. In Operation Phantom Net Voxel, BeardShell was deployed after earlier-stage loaders and was associated with steganographic delivery chains in which shellcode or C2 information was hidden in PNG or image files stored in cloud services. Reporting also states BeardShell and Covenant extracted C2 addresses from images in cloud storage.
Observed behaviors attributed to BeardShell include executing PowerShell commands, beaconing periodically, creating host-specific directories derived from system or hardware identifiers, establishing persistence, and hiding files under fake image headers. Some reporting specifically mentions Registry Run Keys and COM hijacking in the broader campaign context, and one 2026 intrusion chain linked to related BeardShell tooling used COM hijacking and a temporary scheduled task named OneDriveHealth to trigger malicious loading. BeardShell has also been associated with opaque-predicate obfuscation, a rare technique ESET says it previously observed in Sednit’s older Xtunnel tool, which supports attribution to APT28.
High-confidence malware identifiers mentioned in the content include tcpiphlpsvc.dll with SHA-1 6D39F49AA11CE0574D581F10DB0F9BAE423CE3D5, detected as Win64/BeardShell.A. The content also repeatedly links BeardShell to campaigns targeting Ukrainian military and government interests for persistent surveillance and intelligence collection rather than disruptive effects.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The attackers weaponized a newly disclosed Microsoft Office 1-day (CVE-2026-21509) within 24 hours of its public revelation... CVE-2026-21509, a Microsoft Office security feature bypass vulnerability... allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
在"Operation Phantom Net Voxel"行动中,该组织部署了一个名为BeardShell的定制C++后门,使用云存储API作为其命令通道。
a new backdoor called BeardShell ... written in C++, establishes persistence, executes PowerShell commands, and hides files under fake image headers.
Researchers at cybersecurity company ESET noticed that since April 2024, the Russian group has started using in attacks two implants named BeardShell and Covenant.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniques
Resource Development
MITRE ATT&CK techniques ... T1583.006 Acquire Infrastructure: Web Services BeardShell relies on Icedrive cloud storage. Covenant relies on Filen cloud storage.
Initial Access
2 techniques
Initial Access
Spear phishing campaigns or the SedKit exploit kit delivered the Seduploader first stage.
APT28’s attack begins with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509... They noted that the APT28 adversary orchestrated a concentrated 72-hour spear-phishing campaign... delivering at least 29 distinct emails across nine Eastern European nations.
Execution
5 techniques
Execution
The researchers detailed that the malware establishes persistence by hijacking a COM object and briefly creating a scheduled task, ‘OneDriveHealth,’ to restart explorer[dot]exe and trigger the malicious load before deleting itself.
BeardShell is a sophisticated implant capable of executing PowerShell commands within a .NET runtime environment...
MITRE ATT&CK techniques ... T1129 Shared Modules BeardShell and SlimAgent are full-fledged DLL files.
The attackers moved quickly, weaponizing a newly disclosed Microsoft Office one-day vulnerability, CVE-2026-21509, within 24 hours of its public disclosure... When victims open these malicious documents, the exploit triggers automatically without requiring macros or user interaction.
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
The researchers detailed that the malware establishes persistence by hijacking a COM object and briefly creating a scheduled task, ‘OneDriveHealth,’ to restart explorer[dot]exe and trigger the malicious load before deleting itself.
Stealth
8 techniques
Stealth
MITRE ATT&CK techniques ... T1027 Obfuscated Files or Information BeardShell Icedrive token decryption is obfuscated.
Стеганография (T1027.003) прячет payload от файлового анализа: PNG с шеллкодом - не исполняемый файл...
BeardShell uses lightweight anti-analysis checks to evade sandboxes, decrypts embedded strings, and dynamically resolves Windows APIs.
The entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts.
MITRE ATT&CK techniques ... T1140 Deobfuscate/Decode Files or Information BeardShell decrypts its strings.
MITRE ATT&CK techniques ... T1480 Execution Guardrails BeardShell only executes in taskhost.exe or taskhostw.exe. SlimAgent only executes in explorer.exe.
Discovery
2 techniques
Discovery
Collection
1 technique
Collection
Command and Control
7 techniques
Command and Control
MITRE ATT&CK techniques ... T1001 Data Obfuscation BeardShell exfiltrates data in fake images.
The extracted shellcode, ultimately, is used to load an embedded .NET assembly, which is nothing but a Grunt implant associated with the open source .NET COVENANT command-and-control (C2) framework.
在"Operation Phantom Net Voxel"行动中,该组织部署了一个名为BeardShell的定制C++后门,使用云存储API作为其命令通道。
BeardShell ... leverages the legitimate cloud storage service Icedrive as its C&C channel... Previously, in 2023, Sednit’s Covenant abused the legitimate cloud service pCloud, and in 2024–2025, Koofr ... Figure 11 shows the classes introduced by Sednit developers to communicate with the Filen cloud provider, used since July 2025.
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Implant/backdoor used in the APT28 campaign to extract C2 addresses from steganographic PNG images stored in cloud services and communicate over HTTPS via Icedrive API with additional ChaCha20-Poly1305 encryption layered over TLS.
A custom C++ backdoor that uses a legitimate cloud storage API as its command-and-control channel to blend malicious traffic with trusted cloud service activity.
定制C++后门,使用合法云存储API作为命令与控制通道以规避检测。
A custom C++ backdoor used in Operation Phantom Net Voxel, leveraging legitimate cloud APIs for command-and-control and linked by code lineage to X-Agent-era development.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.