Signal Messenger Breach by APT28 Leads to Distribution of BeardShell and Covenant Malware
In the summer of 2025, a sophisticated spearphishing campaign, named 'Phantom Net Voxel,' was uncovered, targeting Ukrainian military personnel via the Signal messaging platform. The campaign, attributed to the Russian hacker group known as APT29 (Cozy Bear), employs a multi-layered approach for payload delivery.
The operation begins with a malicious Office document sent through private Signal chats, disguised as urgent administrative forms or compensation requests. Upon opening, the document's embedded macros drop a stealthy DLL and a PNG file onto the victim's machine, initiating a multi-stage infection chain.
The initial Document_Open macro verifies Windows versions and registers a malicious COM server under a specific CLSID to ensure the DLL loads on each user logon. If the registry key does not exist, the macro drops the files to the ProgramData directory and AppData, hiding them before executing the DLL's installation routine.
The first stage of the infection chain installs both Covenant's HTTP Grunt Stager and the custom C++ backdoor BeardShell. Hybrid encryption secures communications as file uploads and downloads provide a covert command-and-control channel, with each compromised host represented by a unique GUID-derived folder, indicating potentially dozens of infected systems.
BeardShell, an unmanaged C++ backdoor, is the subsequent payload in the Phantom Net Voxel campaign. Its entry point performs anti-analysis checks and generates a hardware-profile-based identifier for directory naming on the cloud storage. Upon activation, BeardShell instantiates PowerShell sessions via embedded CLR initialization routines.
Once loaded into explorer.exe, the second-stage DLL extracts a shellcode from the least significant bits of each PNG pixel. This shellcode initializes the .NET Common Language Runtime (CLR) and injects a Covenant HTTP Grunt module, which contacts the Koofr cloud API to create directories named 'Keeping' and 'Transfering.'
JSON-formatted commands are executed by BeardShell, encrypted with ChaCha20-Poly1305, and masqueraded as benign image files. Defenders are advised to monitor unexpected COM registrations under high-privilege CLSIDs and inspect anomalous PNG or TIFF files in AppData directories for hidden payloads.
Sekoia analysts identified the lure documents' use of authentic Ukrainian military nomenclature as a key element of the campaign's success. The attack employs a two-pronged persistence approach: VBA macro's registry modifications for startup execution, and the second-stage DLL's COM hijack for seamless proxying of legitimate printing functions.
BeardShell uses the icedrive service for command and control (C2) communications. Defenders are encouraged to stay vigilant and adapt by correlating code-signing anomalies, registry tampering, and cloud API traffic to intercept future invasions.
