Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group’s 2010‑era implants.
Key points of this blogpost:
- ESET researchers traced the reactivation of Sednit’s advanced implant team to a 2024 case in Ukraine, where a keylogger named SlimAgent was deployed.
- SlimAgent code was derived from Xagent, Sednit’s flagship backdoor from the 2010s.
- During that operation, BeardShell, a second Sednit‑developed implant, was deployed. It executes PowerShell commands via a legitimate cloud provider used as its C&C channel.
- BeardShell uses a distinctive obfuscation technique also found in Xtunnel, Sednit’s network‑pivoting tool from the 2010s.
- Across 2025 and 2026, Sednit repeatedly deployed BeardShell together with Covenant, a third major piece of its modern toolkit.
- Sednit heavily reworked this open‑source implant to support long‑term espionage and to implement a new network protocol based on yet another legitimate cloud provider.
Sednit profile
The Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004. The US Department of Justice named the group as one of those responsible for the Democratic National Committee (DNC) hack just before the 2016 US elections and linked the group to Unit 26165 of the GRU, a Russian Federation intelligence agency within the Main Intelligence Directorate of the Russian military. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents.
What became of Sednit’s advanced implant team?
The Sednit group is arguably one of the APT groups with the most impressive record of compromised targets. Notable among its known compromises are the German parliament (2015), the French television network TV5Monde (2015), and the United States Democratic National Committee (2016).
During those years of high-profile attacks, Sednit relied on an extensive set of custom implants, ranging from full-fledged espionage backdoors such as Xagent and Sedreco, to specialized toolkits such as the network-pivoting tool Xtunnel and the data stealer for air-gapped machines USBStealer. In 2016, we extensively documented this sophisticated arsenal in our white paper En Route with Sednit.
However, in 2019, a shift occurred. Since then, and until recently, Sednit’s high-end implants have rarely been observed in the wild (with only a few exceptions, such as the Graphite malware documented by Trellix in 2021), while the group simultaneously ramped up its phishing operations. The custom malware used in these phishing attacks consisted mostly of simple script-based implants. The reasons behind that technical shift remain a mystery to us.
This blogpost documents the reappearance of Sednit’s high-end custom arsenal since 2024. Here we focus on attributing its modern toolsets, as prior publications by CERT-UA and Sekoia have covered their internal workings.
A boutique developer shop
Sednit maintains in-house development of its espionage implants, a distinctive trait that supports an attribution approach based on shared code artifacts.
To illustrate this capability, consider Xagent, the group’s flagship backdoor during the 2010s. In 2015, we found the Xagent source code on a Linux server in Ukraine, left in an unprotected archive after the attackers had compiled it. Figure 1 shows that plugins and C&C channels were enabled or disabled by commenting code in or out – selected per target according to operational requirements – leaving little doubt that developers and operators worked in close coordination.
In addition, the 2018 US DOJ indictment explicitly states that Xagent was developed in-house, accusing specific members of GRU Unit 26165 of being its developers.
In this blogpost, we leverage that development footprint as an attribution mechanism. By tracking shared code artifacts across different implants, we link the group’s 2010-era toolsets to those currently in use.
SlimAgent
Our account of modern Sednit activities begins with SlimAgent, an espionage implant discovered on a Ukrainian governmental machine by CERT-UA in April 2024. SlimAgent is a simple yet efficient spying tool capable of logging keystrokes, capturing screenshots, and collecting clipboard data.
Ancestors
Interestingly, we identified in ESET telemetry previously unknown samples with code similar to SlimAgent, which were deployed as early as 2018 – six years before the Ukrainian case – against governmental entities in two European countries. These samples exhibit strong code-level similarities with SlimAgent, including an identical six-step data-collection loop, shown in Figure 2. Each step is implemented in a nearly identical manner, as illustrated in Figure 3 with the routine responsible for logging the foreground window’s executable; the only differences lie in the layout of the internal data structures.
SlimAgent includes several features that were absent from the 2018 samples, such as encryption of the collected logs. Nevertheless, it is remarkable that samples deployed six years apart exhibit such strong code similarities.
We therefore assess with high confidence that both the 2018 samples and the 2024 SlimAgent sample were built from the same codebase. The remaining question is: where did the 2018 samples originate?
An infamous lineage
The 2018 samples have an internal name that may resonate with fellow analysts: RemoteKeyLogger.dll. This is the name of the keylogging module of Xagent, Sednit’s flagship espionage backdoor from 2012 to 2018 (documented in our white paper En Route with Sednit).
Digging into some old Xagent samples (e.g., SHA-1: D0DB619A7A160949528D46D20FC0151BF9775C32), we were indeed able to find some striking similarities, such as the one shown in Figure 4. In this code, the keylogging logic is executed only if the mouse cursor has not moved more than 10 pixels (by comparing the square of the distance between the last and the current position with 0x64, i.e., 100), and it is implemented with the same API calls.
As another example, SlimAgent emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively. Figure 5 shows an example generated while typing and copying text in a newly created TXT file using notepad.exe. The Xagent keylogger also produces HTML logs using the same color scheme. This is illustrated in Figure 6 with the definition of the corresponding color HTML tags in the 2015 Xagent source code.
Based on these similarities, we believe that SlimAgent is an evolution of the Xagent keylogger module, which has been deployed as a standalone component since at least 2018. Moreover, because Xagent is a custom toolset used exclusively by the Sednit group for more than six years, we attribute SlimAgent to Sednit with high confidence.
This raises a question: why would Sednit reuse an implant derived from such a well-known codebase? One possible explanation is reduced development capacity. However, SlimAgent was not the only implant found on the Ukrainian machine in 2024; BeardShell – a much more recent addition to Sednit’s custom arsenal – was deployed there as well.
BeardShell
BeardShell is a sophisticated implant capable of executing PowerShell commands within a .NET runtime environment, while leveraging the legitimate cloud storage service Icedrive as its C&C channel.
This component bears the marks of intense development efforts and is the primary reason we believe that Sednit’s advanced development team is once again active. For example, because Icedrive does not provide a publicly documented API, the developers reimplemented the requests made by the official Icedrive client. Whenever changes to Icedrive’s private API disrupt BeardShell communications, Sednit developers produce an updated version within hours to restore access.
A mathematical blast from the past
While we could not find other malware families directly related to BeardShell, we uncovered a surprising similarity with past Sednit tooling, starting with a C++ static initializer executed at the very start of BeardShell. This routine’s purpose, whose code is shown in Figure 7, is to decrypt the authentication token for the Icedrive cloud storage.
The routine contains a textbook example of the obfuscation technique known as opaque predicate insertion (highlighted in the red box in Figure 7):
- An arithmetic expression evaluating to zero for all possible inputs – named x and y in Figure 7 – is used as a condition for a while loop. In practice, the loop body is never executed, because the predicate 2 (x2 + 1) + 2 = y2 + 5 has no integer solution.
- The body of this artificial loop consists of two original instructions (shown in the yellow box in Figure 7), plus a dummy update of the input variable y to mimic a real loop body structure.
- Following the fake loop are the two original instructions that will be executed: a call to the Icedrive token decryption routine and the registration of a cleaner routine.
Opaque predicates are typically used to hinder static analysis but are not particularly useful in such a small routine. Note that other BeardShell static initializers – which are not handling important data – are protected with the same technique, so it seems that the developers simply applied the protection to all of them indiscriminately.
Now, the predicate formula can be simplified as (by subtracting 2 on both sides) 2 (x2 + 1) = y2 + 3 . Interestingly, that same opaque predicate was used in Xtunnel, a network-pivoting tool used exclusively by Sednit, from 2013 to 2016, and documented in our white paper
