Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 1 CVE

SlimAgent

SlimAgent is a C++ spyware/keylogger attributed with high confidence to Sednit/APT28 (Fancy Bear, GRU Unit 26165). It was discovered on a Ukrainian government system in April 2024 and has been associated with long-term espionage operations targeting Ukrainian government and military personnel. Multiple reports state that SlimAgent is a simple but effective surveillance implant that logs keystrokes, captures screenshots, and collects clipboard data. ESET also identified related samples dating back to 2018 that targeted governmental entities in two European countries, and assessed that those samples and the 2024 sample were built from the same codebase.

SlimAgent has direct code lineage to APT28’s historic X-Agent/Xagent malware, specifically its keylogging module. Reported overlaps include matching internal naming such as RemoteKeyLogger.dll, similar keylogging logic, and the same HTML log formatting/color scheme. This lineage is cited as a key basis for attribution to APT28/Sednit.

Operationally, SlimAgent has been observed alongside other APT28 tooling including BeardShell and modified Covenant implants, and on the same operator infrastructure or APT28-controlled C2 servers. CERT-UA reported SlimAgent publicly in 2025, including use in activity where Signal chats were exploited to deliver BeardShell and SlimAgent to Ukrainian government organizations. In broader reporting on Operation Phantom Net Voxel and related campaigns, APT28 used spearphishing and trojanized Office documents, sometimes delivered via Signal Desktop, to target Ukrainian entities; however SlimAgent itself was not always directly observed in every intrusion chain.

Reported collection and storage behavior includes screenshot capture via Windows APIs, local storage of encrypted screenshots using timestamped filenames, and encryption using AES and RSA. Some reporting states that collected results were exfiltrated as encrypted image files through the same cloud channels used by associated APT28 implants. A published sample associated with SlimAgent was identified as eapphost.dll with SHA-1 5603E99151F8803C13D48D83B8A64D071542F01B and detection name Win64/Spy.KeyLogger.LS.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2026-21509Microsoft Office Shell.Explorer.1 OLE Security Feature BypassExploited in the wild

The two pieces of malware have been used recently to target central executive bodies of Ukraine in attacks that exploited the CVE-2026-21509 vulnerability in Microsoft Office via malicious DOC files.

via bleeping computerbleepingcomputer.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT28

在同一操作基础设施上发现的名为Slimagent的键盘记录器,与APT28十多年前的标志性植入程序X-Agent有直接代码渊源。

via freebuffreebuf.com
APT29

The researchers uncovered these malware families after discovering SlimAgent, a keylogging implant deployed in a Ukrainian government system capable of keystroke capture, clipboard collection, and screenshot capture.

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1587.001MalwareEvidence1

MITRE ATT&CK techniques ... T1587.001 Develop Capabilities: Malware BeardShell and SlimAgent are custom malware.

Initial Access

2 techniques
T1566PhishingEvidence1

Spear phishing campaigns or the SedKit exploit kit delivered the Seduploader first stage.

T1566.001Spearphishing AttachmentEvidence1

“Sednit typically compromises its targets through social engineering over Signal Desktop or WhatsApp Desktop, persuading them to open Trojanized Excel or Word documents. In some cases, the attackers even call their targets to increase the chances of success.”

Execution

3 techniques
T1059.001PowerShellEvidence1

It can execute PowerShell commands in a .NET runtime environment and was used together with SlimAgent.

T1129Shared ModulesEvidence1

MITRE ATT&CK techniques ... T1129 Shared Modules BeardShell and SlimAgent are full-fledged DLL files.

T1203Exploitation for Client ExecutionEvidence1

The two pieces of malware have been used recently to target central executive bodies of Ukraine in attacks that exploited the CVE-2026-21509 vulnerability in Microsoft Office via malicious DOC files.

Persistence

1 technique
T1546.015Component Object Model HijackingEvidence1

MITRE ATT&CK techniques ... T1546.015 Event Triggered Execution: Component Object Model Hijacking BeardShell and SlimAgent are made persistent by hijacking COM objects.

Privilege Escalation

1 technique
T1546.015Component Object Model HijackingEvidence1

MITRE ATT&CK techniques ... T1546.015 Event Triggered Execution: Component Object Model Hijacking BeardShell and SlimAgent are made persistent by hijacking COM objects.

Stealth

2 techniques
T1480Execution GuardrailsEvidence1

MITRE ATT&CK techniques ... T1480 Execution Guardrails BeardShell only executes in taskhost.exe or taskhostw.exe. SlimAgent only executes in explorer.exe.

T1564Hide ArtifactsEvidence1

MITRE ATT&CK techniques ... T1564 Hide Artifacts SlimAgent logs are written into a hidden file.

Credential Access

1 technique
T1056.001KeyloggingEvidence13

在同一操作基础设施上发现的名为Slimagent的键盘记录器,与APT28十多年前的标志性植入程序X-Agent有直接代码渊源。

Collection

4 techniques
T1005Data from Local SystemEvidence1

MITRE ATT&CK techniques ... T1005 Data from Local System BeardShell, Covenant, and SlimAgent collect data from a compromised machine.

T1056.001KeyloggingEvidence13

在同一操作基础设施上发现的名为Slimagent的键盘记录器,与APT28十多年前的标志性植入程序X-Agent有直接代码渊源。

T1113Screen CaptureEvidence7

SlimAgent is a simple yet efficient spying tool capable of logging keystrokes, capturing screenshots, and collecting clipboard data.

T1115Clipboard DataEvidence5

SlimAgent is a simple yet efficient spying tool capable of logging keystrokes, capturing screenshots, and collecting clipboard data.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

该组织从稳定的恶意软件框架转向部署短效、单一用途的工具,一旦暴露立即弃用。

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1

Результаты выгружаются как зашифрованные изображения с расширениями .bmp/.gif/.jpeg/.png/.tiff через тот же облачный канал (T1041, T1567.002).

T1567.002Exfiltration to Cloud StorageEvidence1

...эксфильтрация документов через тот же облачный канал (Exfiltration to Cloud Storage, T1567.002).

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha1●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
codebyNews
Jun 14, 2026
Sigma и YARA правила APT28: детекция стего и cloud C2

Collection component used for espionage that captures keystrokes and screenshots, then exfiltrates the results as encrypted image files through the same cloud-based channel.

Read more
cyber security newsNews
Jun 12, 2026
Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks

A keylogger linked by code lineage to X-Agent and found on infrastructure associated with APT28 operations.

Read more
freebufNews
Jun 12, 2026
黑客组织Fancy Bear滥用边缘路由器与云服务发起隐秘网络攻击 - FreeBuf网络安全行业门户

键盘记录器,与APT28早期植入程序X-Agent存在直接代码渊源。

Read more
sekoia blogNews
Jun 11, 2026
APT28, an evolution of tradecraft - Sekoia.io Blog

A C++ keylogger associated with Operation Phantom Net Voxel and linked by researchers to historical X-Agent code lineage.

Read more
+15 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.