Social engineering and Signal chats led to new Russian malware attacks, Ukraine says
A hacking group linked to Russian military intelligence is targeting Ukrainian state agencies with newly discovered malware delivered through the Signal messaging app, according to Ukraine’s cybersecurity officials.
The two malware strains used in the latest campaign — dubbed BeardShell and SlimAgent — were identified by Ukraine’s computer emergency response team (CERT-UA). BeardShell functions as a backdoor capable of executing PowerShell scripts, while SlimAgent is designed to stealthily capture encrypted screenshots and store them locally on infected devices.
Ukraine attributed the attacks to APT28, also known as Fancy Bear and Forest Blizzard, which Western governments have tied to Unit 26165 of Russia’s military intelligence agency, the GRU. Active since at least 2004, it has ramped up attacks on Kyiv and its allies since Moscow’s invasion of Ukraine began.
According to CERT-UA, the new malware was used in a recent phishing attack targeting a Ukrainian government email account. The attacker used Signal to send a Word document containing malicious macros. CERT-UA noted that the hackers had detailed knowledge of the target and exploited this familiarity to deceive the recipient into opening the file.
The attackers reportedly used a combination of the BeardShell backdoor and the otherwise legitimate Covenant offensive security framework. CERT-UA said that Signal’s lack of integration with conventional antivirus tools enabled the malware to evade detection. The hackers also used legitimate cloud services to manage infected systems.
Ukrainian officials say Russian state-backed hackers are increasingly using Signal to deliver malware targeting government and military personnel. Social engineering remains a key component of these operations — in the latest case, the hackers posed as officials requesting a digital signature to persuade victims to open malicious attachments.
Western cybersecurity experts have reported similar campaigns. Google recently linked Russia’s Sandworm group to efforts involving captured Ukrainian battlefield devices, where hijacked Signal accounts were connected to Russian systems for intelligence gathering. Another group, UNC4221, reportedly deployed a phishing kit that mimicked Ukraine’s Kropyva artillery app to steal geolocation and device data using a JavaScript payload known as Pinpoint.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.