BEARDSHELL
BeardShell is a custom APT28 (Sednit, Fancy Bear, Forest Blizzard, UAC-0001) implant/backdoor used in cyber-espionage operations since at least April 2024. It has been repeatedly reported in campaigns targeting Ukrainian military personnel, as well as Ukrainian government entities, drone manufacturers, and organizations involved in drone research and development; related reporting also places it in broader targeting of European military, government, maritime, transport, and diplomatic organizations. High-confidence reporting attributes BeardShell to APT28 based on direct attribution by CERT-UA/Ukrainian authorities and researchers, co-location with other known APT28 tooling such as SlimAgent, and a rare opaque-predicate obfuscation technique previously seen in APT28’s XTunnel.
BeardShell is described as a sophisticated implant, commonly written in C++ in reporting on the 2026 campaign, and capable of retrieving, decrypting, and executing PowerShell commands on compromised hosts, including within a .NET runtime environment. It has been used as part of layered post-exploitation chains alongside other APT28 malware, especially a heavily modified Covenant implant and the Outlook VBA backdoor NotDoor. ESET assesses Covenant as APT28’s primary espionage implant and BeardShell as a fallback or backup implant, including for redeploying Covenant when needed.
For command and control, BeardShell abuses legitimate cloud storage providers to blend malicious traffic with normal HTTPS activity. Multiple reports state it used Icedrive as its C2 channel; separate reporting on the January 2026 campaign states a BeardShell variant communicated by uploading and downloading files from specific folders on filen.io. Reporting also notes BeardShell can establish persistence, including via COM hijacking and a temporary scheduled task named OneDriveHealth in the 2026 intrusion chain, and that it can hide files under fake image headers. In the broader infection chains described in the source material, BeardShell was delivered after lightweight loaders and in some cases alongside steganography-based components and Outlook-focused persistence malware. Overall, BeardShell is consistently characterized as an APT28 espionage implant used for long-term surveillance and persistent access rather than disruptive effects.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The attackers weaponized a newly disclosed Microsoft Office 1-day (CVE-2026-21509) within 24 hours of its public revelation... CVE-2026-21509, a Microsoft Office security feature bypass vulnerability... allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The BeardShell malware has been explicitly attributed to APT28 by Ukrainian authorities and security researchers... Furthermore, 10 malicious functions align with the reference Beadshell malware loader...
a new backdoor called BeardShell ... written in C++, establishes persistence, executes PowerShell commands, and hides files under fake image headers.
Researchers at cybersecurity company ESET noticed that since April 2024, the Russian group has started using in attacks two implants named BeardShell and Covenant.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique"BeardShell ... leveraging the legitimate cloud storage service Icedrive as its C&C channel..." and "Sednit developers ... communicate with the Filen cloud provider... Previously ... pCloud ... and ... Koofr"
Initial Access
2 techniquesIn these attacks, phishing emails with geopolitically-charged narratives related to transnational weapons smuggling, military training programs, and meteorological emergency bulletins contain weaponized documents that exploit CVE-2026-21509...
APT28’s attack begins with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509... They noted that the APT28 adversary orchestrated a concentrated 72-hour spear-phishing campaign... delivering at least 29 distinct emails across nine Eastern European nations.
Execution
5 techniquesThe researchers detailed that the malware establishes persistence by hijacking a COM object and briefly creating a scheduled task, ‘OneDriveHealth,’ to restart explorer[dot]exe and trigger the malicious load before deleting itself.
BeardShell is a modern implant that leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication. It can execute PowerShell commands in a .NET runtime environment.
The attackers moved quickly, weaponizing a newly disclosed Microsoft Office one-day vulnerability, CVE-2026-21509, within 24 hours of its public disclosure... When victims open these malicious documents, the exploit triggers automatically without requiring macros or user interaction.
When victims open these malicious documents, the exploit triggers automatically without requiring macros or user interaction.
Persistence
2 techniquesThe researchers detailed that the malware establishes persistence by hijacking a COM object and briefly creating a scheduled task, ‘OneDriveHealth,’ to restart explorer[dot]exe and trigger the malicious load before deleting itself.
Privilege Escalation
3 techniquesThe researchers detailed that the malware establishes persistence by hijacking a COM object and briefly creating a scheduled task, ‘OneDriveHealth,’ to restart explorer[dot]exe and trigger the malicious load before deleting itself.
The entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts.
Stealth
7 techniquesThe tradecraft in this campaign typically covers multi-stage malware, extensive obfuscation... The infection chain deploys SimpleLoader, which adopts three distinct XOR encryption schemes...
The loader either extracts an encrypted PNG image file containing shellcode... BeardShell... processes the dropped image file, SplashScreen[dot]png, using a custom PNG parser to extract concealed .NET loader shellcode hidden within the image data.
BeardShell uses lightweight anti-analysis checks to evade sandboxes, decrypts embedded strings, and dynamically resolves Windows APIs.
The entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts.
"BeardShell decrypts its strings."
BeardShell uses lightweight anti-analysis checks to evade sandboxes...
The loader either extracts an encrypted PNG image file containing shellcode, which it decrypts and executes BeardShell in memory... The campaign’s modular infection chain – from initial phish to in-memory backdoor to secondary implants...
Discovery
2 techniquesCommand and Control
7 techniques"BeardShell exfiltrates data in fake images."
The extracted shellcode, ultimately, is used to load an embedded .NET assembly, which is nothing but a Grunt implant associated with the open source .NET COVENANT command-and-control (C2) framework.
For command and control, the actors abuse legitimate cloud storage service filen.io, allowing malicious traffic to blend into legitimate user activity... the campaign’s modular infection chain... was carefully designed to leverage trusted channels such as HTTPS to cloud services.
Since July 2025, the threat actor has used the Filen cloud provider with Covenant. Previously, the attacker used Koofr and pCloud services.
BeardShell is a modern implant that leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication... Since July 2025, the threat actor has used the Filen cloud provider with Covenant. Previously, the attacker used Koofr and pCloud services.
“BeardShell … allows the attacker to execute PowerShell commands on compromised systems while using the legitimate cloud service Icedrive for command-and-control (C2) communications.”
The vulnerability allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure... the initial exploitation downloads a malicious LNK shortcut and first-stage loader DLL...
Exfiltration
1 technique"BeardShell exfiltrates data to Icedrive. Covenant exfiltrates data to Filen."
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An implant used by Sednit in campaigns targeting Ukrainian military personnel and drone research and manufacturing entities.
An APT28-attributed malware family referenced for code overlap with the steganography loader in this campaign, indicating shared tooling or lineage.
Custom implant used by APT28 for persistent access and long-term surveillance in an espionage operation targeting Ukrainian military personnel.
A Sednit-developed implant that executes PowerShell commands and uses a legitimate cloud provider as its command-and-control channel.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.