In the murky depths of modern cyberwarfare, trust is a weapon and in the hands of a threat group like APT28, even encrypted platforms can become silent accomplices.
A new chapter in cyber espionage is unfolding. Ukraine’s CERT-UA recently revealed a sophisticated campaign by APT28, a Russian state-sponsored threat group, exploiting the secure messaging platform Signal not by breaching its encryption, but by leveraging its trusted status among government entities.
Encrypted Channels, Unseen Payloads
The attack began with something deceptively mundane: a document sent via Signal. Titled Акт.doc, the file contained malicious macros. Once activated, it loaded Covenant, a stealthy memory-resident backdoor. Covenant then retrieved further payloads, a DLL file and a WAV file loaded with shellcode to deliver BeardShell, a previously undocumented C++ malware.
The malware didn’t stop at the initial compromise. Using COM-hijacking, it established persistence. Its true purpose was to pull encrypted PowerShell scripts, decrypt them using ChaCha20-Poly1305, execute them, and quietly send the results back to its handlers through the Icedrive API.
Images from the Shadows
Another discovery, SlimAgent, adds a visual twist. This malicious tool captured screenshots using native Windows API calls piecing together an intelligence feed, frame by frame. The images were encrypted and stored, likely queued for later exfiltration.
This operation wasn’t opportunistic. It was calculated, patient, and layered hallmarks of an advanced persistent threat. APT28, also known as UAC-0001, has a well-documented history of targeting Ukrainian and Western entities. From exploiting nearby Wi-Fi networks to abusing secure tools, their tactics are ever-evolving.
When Trust Is the Vector
It’s important to stress this isn’t a vulnerability in Signal itself. The threat lies in how secure channels are perceived. The very platforms designed to ensure private communication can be repurposed in attacks that rely on deception, not flaws.
This campaign serves as a stark reminder: social engineering has entered an age of encrypted deception. Attackers no longer need to breach firewalls when they can breach trust instead.
Conclusion: The New Battlefield is Behavioral
APT28’s use of Signal is a warning to industries relying heavily on secure communication platforms. The risk no longer lies only in insecure infrastructure; it lies in the psychological manipulation of users and the trust we place in tools.
As encrypted apps grow in popularity across government, healthcare, finance, and critical infrastructure, so too will the sophistication of social engineering tactics leveraging them.
Staying cyber safe now requires not just secure tools but secure behaviors.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. We protect these sectors from evolving threats like encrypted spear-phishing and advanced malware deployments, just like those used in the recent APT28 campaign.
Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
- Targeted threat hunting and forensic analysis for APT behaviors
- Social engineering resistance programs to educate and fortify staff
- Network monitoring for encrypted payload and C2 exfiltration tactics
Our focus extends to countering the diverse capabilities of social engineering, which has proven itself a fast-moving threat vector capable of infiltrating secure systems through human trust.
Follow COE Security on LinkedIn to stay updated on emerging threats, best practices, and proven strategies to stay cyber safe.
Click to read our LinkedIn feature article