APT28 With Weaponized Office Documents Delivers BeardShell and Covenant Modules

Russia’s APT28 has resurfaced in mid-2025 with a sophisticated spear-phishing campaign that weaponizes Office documents to deploy two novel payloads: BeardShell, a C-based backdoor leveraging IceDrive as a command-and-control channel, and Covenant’s HTTP Grunt Stager, which communicates via the Koofr cloud API.

These malicious documents are distributed through private Signal chats, exploiting the application’s lack of Mark-of-the-Web protection to slip past Microsoft Office security mechanisms.

Targets receive messages mimicking internal legal or administrative notifications, complete with urgent prompts to open embedded documents that carry hidden macros.

Upon opening, the lure document automatically switches to Print Layout before executing a Visual Basic for Applications (VBA) macro that performs environment checks, deobfuscates payloads, and establishes persistence.

Sekoia analysts noted that the primary macro performs a COM hijack by dropping a DLL (prnfldr.dll) alongside a benign-looking PNG file (windows.png) and registering the DLL under the CLSIDPrinters registry key.

It then invokes regsvr32.exe with the /i parameter to trigger the DLL’s installation routine, ensuring execution even without a system reboot.

Once loaded by Explorer.exe, prnfldr.dll proxies legitimate print functions and spawns a secondary thread to extract an AES-encrypted shellcode blob from the least significant bits of each pixel in windows.png.

This technique embeds 20 bytes of size and hash metadata followed by a 32-byte key, 16-byte IV, and encrypted content within the PNG image data.

After decryption, the shellcode initializes the Common Language Runtime and loads the Covenant .NET assembly, establishing an HTTP-based C2 channel with the Koofr infrastructure.

Infection Mechanism Deep Dive

The second stage reveals an ingenious use of digital steganography. The shellcode reads windows.png, extracts the embedded payload, and calls the following functions to launch the Covenant Grunt Stager:

HRESULT hr;
ICLRMetaHost *pMetaHost = NULL;
pMetaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, (LPVOID*)&pRuntimeInfo);
pRuntimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_ICorRuntimeHost, (LPVOID*)&pCorRuntimeHost);
pCorRuntimeHost->Start();
pCorRuntimeHost->ExecuteInDefaultAppDomain(L"C:\path\GruntHTTPStager.dll",
                                           L"EntryPoint", L"Execute",
                                           NULL, &hr);

Once active, Covenant’s HTTP Grunt module communicates exclusively through Koofr’s API, creating “Keeping” and “Tansfering” folders to upload reconnaissance data and download new modules.

The implant uses hybrid encryption to exchange session keys and orchestrates command execution via Covenant Tasks, uploading output as files before deleting them to minimize forensic artifacts.

Meanwhile, BeardShell operates independently as a C DLL. It initializes the CLR to load the System.Management.Automation assembly and exposes a JSON-based interface for seven PowerShell-centric commands.

Every four hours, BeardShell polls an IceDrive directory named by an FNV4 hash of host attributes.

It uploads SystemInfo results to IceDrive and awaits operator-supplied JSON command files, which it decrypts and executes before returning output to the storage root. Commands follow the schema:

{"taskid":0,"cmdid":2,"data":{"id":0,"cmd":"ipconfig /all"}}

This dual-payload strategy demonstrates APT28’s evolving use of open-source frameworks and legitimate cloud services for covert communications.

Embedding steganographic payloads in PNG files and leveraging multiple cloud channels significantly complicates detection and response, underscoring the need for enhanced steganography detection and cloud API monitoring.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.