"APT28, also tracked as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is a nation-state actor affiliated with Unit 26165 of the Russian Federation's military intelligence agency GRU."
"SLIMAGENT, per the Slovakian cybersecurity company, has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. This is based on code similarities discovered between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018."
"SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively. The XAgent keylogger also produces HTML logs using the same color scheme."
APT28, a Russian military intelligence-affiliated threat actor with multiple aliases, has been using two malware implants—BEARDSHELL and COVENANT—since April 2024 to target Ukrainian military personnel for extended surveillance operations. The group's malware toolkit also includes SLIMAGENT, a sophisticated implant capable of keystroke logging, screenshot capture, and clipboard data collection. SLIMAGENT traces its origins to XAgent, an earlier APT28 tool deployed since at least 2014. Analysis reveals code similarities and identical HTML logging formats between SLIMAGENT and XAgent samples, indicating evolutionary development of the group's espionage capabilities. BEARDSHELL functions as a backdoor enabling PowerShell command execution on compromised systems.
#apt28 #ukrainian-military-targeting #beardshell-malware #russian-state-sponsored-hacking #surveillance-operations
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]