APT28 Deploys BeardShell and Covenant Modules via Weaponized Office Documents

Security researchers at Sekoia.io have uncovered a sophisticated cyberattack campaign orchestrated by APT28, the notorious Russian state-sponsored threat actor, targeting Ukrainian military personnel with weaponized Office documents that deliver advanced malware frameworks including BeardShell and Covenant modules.

The operation represents a significant evolution in APT28’s tactics, leveraging legitimate cloud infrastructure and novel obfuscation techniques to maintain persistent access while evading detection mechanisms.

The infection chain begins with malicious Office documents distributed through Signal Desktop, a platform APT28 deliberately chose because it lacks the Mark of the Web (MOTW) security mechanism that typically prevents macro execution in files from untrusted sources.

This technical gap allows embedded macros to run without triggering Microsoft Office’s standard security warnings, unlike documents downloaded from web browsers or received through email clients like Outlook.

The attackers impersonate colleagues or superiors in private Signal chats, creating false urgency ...