Sednit reloaded: Back in the trenches

Key Takeaways

• Sednit (APT28) has reactivated its advanced implant development team, deploying a modern toolkit against Ukrainian military personnel.
• The new toolkit features SlimAgent (a keylogger derived from Xagent) and BeardShell (a PowerShell executor using Icedrive for C&C).
• Sednit heavily modified the open-source Covenant framework for long-term espionage, adding custom cloud-based C&C protocols (Filen, pCloud, Koofr).
• Code analysis reveals direct lineage between current implants and 2010-era tools like Xagent and Xtunnel, including shared opaque predicate obfuscation.

Affected Systems

• Windows OS
• Ukrainian military personnel
• European governmental entities

Vulnerabilities (CVEs)

• CVE-2026-21509

Attack Chain

Sednit compromises targets (potentially via spearphishing exploiting CVE-2026-21509) and deploys a dual-implant architecture. SlimAgent is injected into explorer.exe to log keystrokes, capture screenshots, and steal clipboard data, saving them as hidden HTML files. BeardShell and a modified Covenant framework are deployed for persistent access, executing PowerShell commands and exfiltrating data via legitimate cloud storage services like Icedrive and Filen.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: ESET GitHub repository

A comprehensive list of indicators of compromise (IoCs) and samples is available in the ESET Research GitHub repository. No specific detection rules are provided in the article text.

Detection Engineering Assessment

EDR Visibility: Medium — Implants use COM hijacking and inject into standard processes like explorer.exe and taskhost.exe, which EDRs monitor, but the use of legitimate cloud services for C2 blends with normal traffic. Network Visibility: Low — C2 traffic is encrypted HTTPS directed to legitimate cloud providers (Icedrive, Filen, pCloud, Koofr), making network-based detection difficult without SSL inspection and behavioral profiling. Detection Difficulty: Hard — Heavy obfuscation (opaque predicates), use of legitimate cloud services for C2, and in-memory execution of .NET assemblies via Covenant make static and network detection challenging.

Required Log Sources

• Process Creation (Event ID 4688/Sysmon 1)
• File Creation (Sysmon 11)
• Image Load (Sysmon 7)
• Registry Events (Sysmon 12/13/14)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual child processes or network connections originating from taskhost.exe or taskhostw.exe communicating with cloud storage domains.	Process Creation, Network Connections	Command and Control	Medium
Monitor for COM object hijacking targeting standard Windows DLLs like eapphost.dll or tcpiphlpsvc.dll.	Registry Events, Image Load	Persistence	Low
Hunt for explorer.exe writing hidden files containing HTML-formatted logs with specific color tags (blue, red, green).	File Creation	Collection	Low

Control Gaps

• Network egress filtering (due to legitimate cloud provider usage)
• Static AV detection (due to custom obfuscation and opaque predicates)

Key Behavioral Indicators

• Unexpected network connections to Icedrive, Filen, pCloud, or Koofr from system processes
• HTML files created with specific color tags (blue, red, green) for keylogging output
• COM hijacking persistence mechanisms involving eapphost.dll or tcpiphlpsvc.dll

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Block unauthorized access to cloud storage providers (Icedrive, Filen, pCloud, Koofr) at the network perimeter if not required for business operations.
• Search endpoints for the provided SHA-1 hashes associated with SlimAgent and BeardShell.

Infrastructure Hardening

• Implement strict application control to prevent the loading of unapproved DLLs.
• Monitor and restrict COM object modifications in the registry.

User Protection

• Deploy advanced EDR solutions capable of detecting in-memory .NET execution and process injection.
• Ensure systems are patched against known vulnerabilities, including CVE-2026-21509.

Security Awareness

• Train personnel, especially high-value targets, on the risks of spearphishing and advanced social engineering tactics.

MITRE ATT&CK Mapping

• T1583.006 - Acquire Infrastructure: Web Services
• T1587.001 - Develop Capabilities: Malware
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1129 - Shared Modules
• T1546.015 - Event Triggered Execution: Component Object Model Hijacking
• T1027 - Obfuscated Files or Information
• T1140 - Deobfuscate/Decode Files or Information
• T1480 - Execution Guardrails
• T1564 - Hide Artifacts
• T1082 - System Information Discovery
• T1005 - Data from Local System
• T1056.001 - Input Capture: Keylogging
• T1113 - Screen Capture
• T1115 - Clipboard Data
• T1001 - Data Obfuscation
• T1071.001 - Application Layer Protocol: Web Protocols
• T1102 - Web Service
• T1573.002 - Encrypted Channel: Asymmetric Cryptography
• T1567 - Exfiltration Over Web Service

Additional IOCs

• File Hashes:
  • D0DB619A7A160949528D46D20FC0151BF9775C32 (SHA1) - Historical Xagent sample sharing code with SlimAgent
  • 99B454262DC26B081600E844371982A49D334E5E (SHA1) - Historical Xtunnel sample sharing opaque predicate obfuscation with BeardShell
• File Paths:
  • RemoteKeyLogger.dll - Internal name for 2018 keylogging module ancestor of SlimAgent
  • taskhost.exe - Target process for BeardShell execution guardrails
  • taskhostw.exe - Target process for BeardShell execution guardrails
  • explorer.exe - Target process for SlimAgent execution guardrails
• Other:
  • Icedrive - Legitimate cloud storage service abused for BeardShell C&C
  • Filen - Legitimate cloud storage service abused for Covenant C&C
  • pCloud - Legitimate cloud storage service abused for Covenant C&C (2023)
  • Koofr - Legitimate cloud storage service abused for Covenant C&C (2024-2025)