New Russian malware campaign targets Ukraine using Signal chats.
Russian APT28 hackers use social engineering and Signal’s multi-device feature to spread malware inside Ukrainian government networks.
Attackers send malicious Word docs with macros via Signal. These download a memory-resident backdoor called Covenant, which loads additional payloads including a new malware named BeardShell.
BeardShell executes encrypted PowerShell scripts and communicates with attackers via Icedrive API. It uses COM hijacking in Windows registry to maintain persistence even after reboots.
Another malware, SlimAgent, is used to capture and encrypt screenshots, enhancing surveillance capabilities alongside BeardShell.
Attackers exploit Signal’s QR code device linking to bind their devices to victims’ accounts, bypassing Signal’s end-to-end encryption to access message content stealthily.
This campaign shows how encrypted communication tools can be weaponized in cyberwarfare through sophisticated social engineering and malware layering.
Stay vigilant with Signal links and QR codes, especially in sensitive environments. This attack highlights evolving cyber threats in the Ukraine-Russia conflict.