APT28 Exploits Signal for Malware Attacks on Ukrainian Officials

TL;DR

The Russia-linked cyberespionage group APT28 is using Signal chats to deliver advanced malware (BeardShell and SlimAgent) to Ukrainian government officials. This sophisticated attack exploits the popularity of Signal for official communications, highlighting the evolving tactics of modern cyber threats.

Russia-Linked APT28 Group Leverages Signal Chats to Target Ukrainian Officials with Advanced Malware

The Russia-linked cyberespionage group APT28 has been identified as the perpetrator behind a series of targeted attacks on Ukrainian government officials. These attacks involve the use of Signal chats to deliver two new types of malware, tracked as BeardShell and SlimAgent. While Signal itself remains secure, the attackers are capitalizing on its growing popularity in official communications to make their phishing attempts more credible and effective.

Discovery of the Malware

In March–April 2024, during an incident response within the information and communication system of a central executive body, Ukraine’s Computer Emergency Response Team (CERT-UA) identified a Windows system infected with BEARDSHELL and SLIMAGENT. These advanced malware tools, written in C++, exhibit sophisticated capabilities:

• BEARDSHELL:
  • Downloads and decrypts PowerShell scripts using ChaCha20-Poly1305.
  • Executes scripts and sends results via the Icedrive API.
  • Creates a unique folder on each infected machine based on system identifiers.
• SLIMAGENT:
  • Captures screenshots using Windows APIs.
  • Encrypts screenshots with AES and RSA.
  • Stores encrypted files locally with timestamped filenames.

Both tools employ strong encryption and exploit legitimate cloud services to avoid detection, demonstrating the advanced tactics of modern cyberespionage groups.

Incident Analysis

In May 2025, ESET researchers reported unauthorized access to an email account in the Ukrainian government’s gov.ua domain. CERT-UA, in collaboration with the Cybersecurity Center of Military Unit A0334, responded to the incident. During the forensic analysis, researchers discovered malware linked to the COVENANT framework and the BEARDSHELL backdoor. The initial infection vector remains undetermined.

Attack Vector and Methodology

The attackers utilized Signal to deliver a malicious document titled “Акт.doc,” which contained a macro. The macro created two files, ctec.dll and windows.png, and added a registry key for COM hijacking to ensure the DLL would run via explorer.exe. The DLL then decrypted shellcode from the PNG, launching the COVENANT malware directly in memory. A second DLL and a WAV file containing shellcode activated the BEARDSHELL backdoor, maintaining persistence through another COM hijack and a scheduled task.

Recommendations and Indicators of Compromise

CERT-UA recommends monitoring network traffic to the following domains:

• app.koofr.net
• api.icedrive.net

The report includes indicators of compromise (IoC) for this threat, providing valuable insights for cybersecurity professionals to mitigate similar attacks.

Conclusion

The APT28 group’s use of Signal chats to deliver malware underscores the evolving tactics of cyberespionage groups. By exploiting trusted communication platforms, these attackers can bypass traditional security measures and compromise high-value targets. Staying vigilant and adopting robust cybersecurity practices is crucial for defending against such advanced threats.

For more details, visit the full article: source

Additional Resources

For further insights, check:

• CERT-UA Report
• ESET Research
• Security Affairs