Russian state hacker group APT28 has revived a sophisticated cyber-espionage toolkit to spy on Ukrainian targets, including military personnel, according to a report published Tuesday by cybersecurity firm ESET.

ESET said the group’s advanced development team has reemerged since April 2024 with a renewed arsenal built around two implants known as BeardShell and Covenant, often deployed together in espionage campaigns.

APT28, also known as Fancy Bear, Sednit, Forest Blizzard or BlueDelta, has operated since at least 2004. The U.S. Justice Department previously linked the group to Unit 26165 of Russia’s GRU military intelligence agency and blamed it for high-profile cyber operations, including the 2016 hack of the Democratic National Committee.

During the 2010s, APT28 used a wide range of sophisticated malware tools for cyber espionage, including powerful backdoors such as Xagent and Sedreco. ESET said that around 2019, the group appeared to change its approach: its advanced malware was rarely observed in the wild as the hackers relied more heavily on phishing campaigns using simpler tools. Researchers say the reason for this shift remains unclear.

One of the first signs of the renewed activity came in April 2024, when CERT-UA discovered a spying program known as SlimAgent on a Ukrainian government computer, according to ESET. The malware is capable of recording keystrokes, capturing screenshots and collecting clipboard data. ESET said SlimAgent appears to be an updated version of the Xagent keylogger module and attributed it to APT28 with high confidence.

Researchers also identified BeardShell, a more sophisticated implant that allows attackers to execute PowerShell commands on compromised machines. Since its discovery in 2024, ESET said BeardShell has continued to appear in espionage operations through 2025 and into 2026, primarily in long-term surveillance of Ukrainian military personnel.

To maintain long-term access to victims’ systems, the hackers often deploy BeardShell alongside another tool known as Covenant, an open-source command-and-control framework first released in 2019. The framework allows attackers to monitor victims, steal data and move through networks to reach additional targets.

ESET says APT28 developers have heavily modified Covenant in recent years and appear to be positioning it as their primary espionage tool, with BeardShell serving as a fallback in case the main infrastructure is disrupted.

The renewed use of sophisticated custom malware may have intensified following Russia’s invasion of Ukraine in 2022, according to ESET. Another possible explanation, the researcher said, is that the developers never stopped working but instead became more cautious.

Last month, researchers discovered a “sophisticated espionage campaign” by APT28 that exploited a Microsoft Office vulnerability to target maritime, transportation and diplomatic entities in countries including Ukraine, Poland, Slovenia, Turkey, Greece and the United Arab Emirates.

The group’s activity has also caused diplomatic disputes in Europe. In December, Germany summoned Russia’s ambassador after accusing APT28 of carrying out a cyberattack on its air traffic control authority and running a disinformation campaign ahead of its 2024 federal election.