The Russian state-sponsored threat group APT28 is using Signal chats to target government targets in Ukraine with two previously undocumented malware families named BeardShell and SlimAgent.
To be clear, this is not a security issue in Signal. Instead, threat actors are more commonly utilizing the messaging platform as part of their phishing attacks due to its increased usage by governments worldwide.
The attacks were first discovered by Ukraine's Computer and Emergency Response (CERT-UA) in March 2024, though limited details about the infection vector were uncovered at the time.
Over a year later, in May 2025, ESET notified CERT-UA of unauthorized access to a gov.ua email account, prompting a new incident response.
During this new investigation, CERT-UA discovered that messages sent via the encrypted messenger app Signal were used to deliver a malicious document to targets (Акт.doc), which uses macros to load a memory-resident backdoor called Covenant.
APT28 attack via Signal
Source: CERT-UA
Covenant acts as a malware loader, downloading a DLL (PlaySndSrv.dll) and a shellcode-ridden WAV file (sample-03.wav) that loads BeardShell, a previously undocumented C++ malware.
For both the loader and the primary malware payload, persistence is secured via COM-hijacking in the Windows registry.
Establishing persistence for BeardShell
... continue reading