Two implants known as BEARDSHELL and COVENANT have been seen to be used by the Russian state-sponsored hacking group known as APT28 to enable long-term surveillance of Ukrainian military personnel This article explores slimagent slovakian cybersecurity. . APT28 is a nation-state actor connected to Unit 26165 of the Russian Federation's military intelligence agency GRU.
It is also tracked as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. In addition to programs like BEARDSHELL and COVENANT, the threat actor's malware arsenal also includes a program called SLIMAGENT that can log keystrokes, take screenshots, and gather clipboard data. In June 2025, the Computer Emergency Response Team of Ukraine (CERT-UA) released the first public documentation of SLIMAGENT.
The Slovakian cybersecurity firm claims that XAgent, another implant that APT28 used in the 2010s to enable remote control and data exfiltration, is the source of SLIMAGENT. This is based on code similarities found between SLIMAGENT and unidentified samples used in attacks against governmental organizations in two European nations as early as 2018. With ESET's analysis revealing keylogging overlaps between SLIMAGENT and a XAgent sample found in the wild in late 2014, it is determined that the 2018 artifacts and the 2024 SLIMAGENT sample came from XAgent.
"SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively," according to ESET.
"HTML logs using the same color scheme are also produced by the XAgent keylogger." Another backdoor known as BEARDSHELL, which can run PowerShell commands on compromised hosts, is also used in conjunction with SLIMAGENT. For command-and-control, it makes use of the reputable cloud storage provider Icedrive (C2).
One notable feature of the malware is that it makes use of a unique obfuscation technique called opaque predicate, which is also present in XTunnel (also known as X-Tunnel), a network traversal and pivoting tool that APT28 used in the 2016 Democratic National Committee (DNC) hack. A secure tunnel to an external C2 server is provided by the tool.
COVENANT, an open-source.NET post-exploitation framework that has been "heavily" modified to support long-term espionage and implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025, is a third significant tool in the threat actor's toolbox. It was previously reported that pCloud (in 2023) and Koofr (in 2024-2025) were used by APT28's COVENANT variant. According to ESET, "these adaptations show that Sednit developers acquired deep expertise in Covenant – an implant whose official development ceased in April 2021 and may have been considered unused by defenders."
"This unexpected operational decision seems to have paid off: Sednit has successfully relied on Covenant for several years, especially against specific targets in Ukraine." The dual-implant strategy has previously been adopted by the adversarial collective. Trellix disclosed in 2021 that APT28 used Graphite, a backdoor that used OneDrive for C2, and PowerShell Empire in attacks against Western Asian defense industry personnel and senior government officials in charge of national security policy.
