Sednit reloaded: Back in the trenches

Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group’s 2010‑era implants.

Key points of this blogpost:

ESET researchers traced the reactivation of Sednit’s advanced implant team to a 2024 case in Ukraine, where a keylogger named SlimAgent was deployed.

SlimAgent code was derived from Xagent, Sednit’s flagship backdoor from the 2010s.

During that operation, BeardShell, a second Sednit‑developed implant, was deployed. It executes PowerShell commands via a legitimate cloud provider used as its C&C channel.

BeardShell uses a distinctive obfuscation technique also found in Xtunnel, Sednit’s network‑pivoting tool from the 2010s.

Across 2025 and 2026, Sednit repeatedly deployed ...

Copyright of this story solely belongs to welivesecurity.com . To see the full text click HERE

Share: