(welivesecurity.com) Sednit APT28 Resurfaces with Modern BeardShell and Covenant Implants Rooted in 2010s Codebase
-
(welivesecurity.com) Sednit APT28 Resurfaces with Modern BeardShell and Covenant Implants Rooted in 2010s Codebase
ESET researchers document the reemergence of Sednit (APT28/GRU Unit 26165) with a new toolkit targeting Ukrainian military personnel in prolonged espionage operations. The group deployed BeardShell, a .NET implant using Icedrive's API for C2, and a modified Covenant framework leveraging pCloud, Koofr, and Filen as command and control channels. A keylogger named SlimAgent was traced as a direct descendant of the group's Xagent backdoor through shared code structures. A specific Diophantine equation obfuscation technique links these tools to Sednit's older Xtunnel implant, reinforcing attribution to the group's development team, largely dormant since 2019.
IOCs in the article.
Source: https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/
Fediverse: @ESETresearch @ESET
-
R relay@relay.infosec.exchange shared this topic
