MalwareUsed by 2 actorsExploits 1 CVE

SlimAgent

SlimAgent is a spyware/keylogging implant associated with the Russian state-sponsored threat actor APT28, also tracked as Sednit and Fancy Bear. It was discovered on a Ukrainian government system in 2024, and reporting indicates it has been used in espionage operations targeting Ukrainian government and military-related entities. ESET assessed that SlimAgent likely evolved from APT28’s older XAgent/Xagent codebase, with related samples dating back to at least 2018 and code similarities including keylogging logic and matching HTML-formatted logging conventions.

High-confidence capabilities described in the source material include keystroke logging, clipboard collection, screenshot capture, and mouse tracking. Reporting also states that SlimAgent captures screenshots via Windows APIs, encrypts screenshots with AES and RSA, and stores them locally using timestamped filenames. It has been described as a simple but effective spying tool and as a standalone espionage implant.

SlimAgent has been observed alongside other APT28 tooling, particularly BeardShell, and was found with BeardShell on an APT28-controlled command-and-control server previously investigated by CERT-UA. CERT-UA publicly documented SlimAgent in June 2025, and separate reporting states that Signal chats were exploited to deliver BeardShell and SlimAgent to Ukrainian government organizations. SlimAgent is also referenced in broader APT28 activity clusters including Operation Phantom Net Voxel. Indicators and traits directly mentioned in the content include its use as a C++ malware tool, local storage of encrypted screenshots with timestamped filenames, and historical internal naming/codebase overlap with RemoteKeyLogger.dll/XAgent-derived functionality.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2026-21509Microsoft Office OLE/Shell.Explorer.1 Security Feature BypassExploited in the wild

The two pieces of malware have been used recently to target central executive bodies of Ukraine in attacks that exploited the CVE-2026-21509 vulnerability in Microsoft Office via malicious DOC files.

via bleeping computerbleepingcomputer.com

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT28

Exatrack also identified two other APT28 tools: SlimAgent and Graphite.

via security online infosecurityonline.info

APT29

The researchers uncovered these malware families after discovering SlimAgent, a keylogging implant deployed in a Ukrainian government system capable of keystroke capture, clipboard collection, and screenshot capture.

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1587.001MalwareEvidence1

"BeardShell and SlimAgent are custom malware."

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

“Sednit typically compromises its targets through social engineering over Signal Desktop or WhatsApp Desktop, persuading them to open Trojanized Excel or Word documents. In some cases, the attackers even call their targets to increase the chances of success.”

Execution

3 techniques

T1059.001PowerShellEvidence1

It can execute PowerShell commands in a .NET runtime environment and was used together with SlimAgent.

T1129Shared ModulesEvidence1

"BeardShell and SlimAgent are full-fledged DLL files."

T1203Exploitation for Client ExecutionEvidence1

The two pieces of malware have been used recently to target central executive bodies of Ukraine in attacks that exploited the CVE-2026-21509 vulnerability in Microsoft Office via malicious DOC files.

Persistence

1 technique

T1546.015Component Object Model HijackingEvidence1

"BeardShell and SlimAgent are made persistent by hijacking COM objects."

Privilege Escalation

1 technique

T1546.015Component Object Model HijackingEvidence1

"BeardShell and SlimAgent are made persistent by hijacking COM objects."

Stealth

2 techniques

T1480Execution GuardrailsEvidence1

"BeardShell only executes in taskhost.exe or taskhostw.exe. SlimAgent only executes in explorer.exe."

T1564Hide ArtifactsEvidence1

"SlimAgent logs are written into a hidden file."

Credential Access

1 technique

T1056.001KeyloggingEvidence9

ESET researchers traced the reactivation of Sednit’s advanced implant team to a 2024 case in Ukraine, where a keylogger named SlimAgent was deployed.

Collection

4 techniques

T1005Data from Local SystemEvidence1

"BeardShell, Covenant, and SlimAgent collect data from a compromised machine."

T1056.001KeyloggingEvidence9

ESET researchers traced the reactivation of Sednit’s advanced implant team to a 2024 case in Ukraine, where a keylogger named SlimAgent was deployed.

T1113Screen CaptureEvidence6

T1115Clipboard DataEvidence5

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha1●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app

security online infoNews

Jun 8, 2026

PixyNetLoader Malware Analysis: APT28's PNG Trick

An APT28-associated tool identified through shared binary characteristics and code packaging habits linked to PixyNetLoader investigations.

ctoatncsc substackNews

Mar 14, 2026

CTO at NCSC Summary: week ending March 15th

A keylogger used by Sednit in Ukraine; its code was derived from Xagent.

scworldNews

Mar 11, 2026

Extended APT28 cyberespionage campaign against Ukraine discovered | brief | SC Media

Keylogger used alongside BeardShell and Covenant in the campaign; assessed as an evolution of APT28’s older XAgent tooling.

security affairsNews

Mar 10, 2026

APT28 conducts long-term espionage on Ukrainian forces using custom malware

An espionage implant written in C++ that captures screenshots, encrypts collected data with AES and RSA, and stores it locally; researchers assess it likely evolved from XAgent and has been deployed as a standalone espionage tool since at least 2018.

+11 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.