APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military
ESET researchers have published a deep-dive on Russia’s APT28 (Fancy Bear/Sednit), revealing that the GRU-linked group has been conducting sustained espionage against Ukrainian military personnel since April 2024 using two custom implants: BEARDSHELL, a C++-based backdoor that downloads and executes PowerShell scripts via cloud storage APIs, and a heavily modified fork of the open-source COVENANT post-exploitation framework that has been continuously adapted to abuse a succession of cloud providers — pCloud in 2023, Koofr in 2024–2025, and Filen since July 2025 — to blend C2 traffic with legitimate cloud storage activity. Alongside these, the group deploys SLIMAGENT, a keylogger and screen-capture tool with code roots traceable back to APT28’s XAgent implant from the mid-2010s, suggesting the same core developers have been active and quietly evolving the same codebase for over a decade. The discovery underscores how nation-state groups extend the utility of aging infrastructure through incremental adaptation rather than wholesale retooling — and why defenders cannot assume old, obscure tooling has been abandoned.
Microsoft Teams Phishing Targets Employees with A0Backdoor Malware
BlueVoyant researchers have documented an active campaign — attributed with moderate-to-high confidence to a successor group inheriting Black Basta’s tradecraft following that gang’s February 2026 collapse — targeting employees at financial and healthcare organizations by first flooding inboxes with spam, then impersonating IT support over Microsoft Teams to convince victims to start Quick Assist remote sessions, through which attackers deploy digitally signed MSI installers hosted in personal Microsoft OneDrive accounts masquerading as legitimate Teams components. The malicious MSIs execute a DLL side-loading chain that drops A0Backdoor, a new implant distinguished by its use of DNS MX record lookups for C2 communication — a technique that exploits trusted email infrastructure to blend malicious callbacks with normal network traffic and evade detection by DNS and proxy filtering tools. Organizations are urged to restrict or disable Quick Assist for external contacts, closely audit Teams external communication settings, and be alert to unsolicited IT support outreach regardless of which platform it arrives on.
New White House Cyber Strategy Pledges to ‘Impose Costs’ on Bad Actors and Ease Regulations
The Trump administration released its long-awaited National Cyber Strategy on Friday — a four-page document that frames U.S. cybersecurity policy around deterrence and offense, pledging to “dismantle networks, pursue hackers and spies, and sanction lawless foreign hacking companies,” while simultaneously promising to cut the patchwork of existing cybersecurity regulations it characterizes as burdensome, particularly for critical infrastructure operators. National Cyber Director Sean Cairncross unveiled accompanying implementation steps including an interagency body — drawing in Justice, State, the FBI, and Pentagon — designed to coordinate offensive and law enforcement responses to adversarial hacking, alongside state and local critical infrastructure pilot programs and a new cyber workforce initiative pairing an academy, a foundry, and an accelerator funded partly with private capital. Critics note the document is conspicuously short on funding specifics and contains no implementation plan comparable to the 65-initiative roadmap the Biden administration published alongside its 2023 strategy, raising questions about whether the document represents a genuine strategic shift or primarily serves as a messaging exercise.
Iran’s MuddyWater Hackers Hit US Firms with New ‘Dindoor’ Backdoor
Broadcom’s Symantec and Carbon Black Threat Hunter Team has identified an active MuddyWater espionage campaign — running since early February and continuing through the U.S. and Israeli military strikes on Iran — that has targeted a U.S. bank, a U.S. airport, Canadian and U.S. non-governmental organizations, and the Israeli branch of a U.S. defense and aerospace software supplier, deploying a previously undocumented backdoor the researchers are calling “Dindoor.” The Dindoor implant was recovered from the networks of the Israeli software company’s subsidiary, the U.S. bank, and the Canadian NGO, and has been linked to MuddyWater through shared code certificates previously tied to the group’s Stagecomp and Darkcomp malware families — an attribution method that held even in the absence of those older tools on victim networks. The timing and targeting strongly suggest the campaign is designed to collect intelligence on U.S. and allied financial, transportation, and defense-adjacent organizations in direct response to the escalating military confrontation with Iran, consistent with MuddyWater’s established role as an offensive cyber arm of Iran’s Ministry of Intelligence and Security.
Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
Google’s Threat Intelligence Group released its annual zero-day exploitation report for 2025, counting 90 vulnerabilities exploited in the wild — up from 78 in 2024 — with a notable shift toward enterprise security products, which now account for roughly half of all exploited flaws, up from 40% the prior year. Microsoft products led all vendors with 25 zero-days, followed by Google (11) and Apple (8), while commercial spyware vendors (CSVs) overtook nation-state groups for the first time as the most prolific exploiters of attributed zero-days — claiming 15 flaws versus 12 by state-sponsored actors, with China-linked groups remaining the most active nation-state exploiters overall. Google’s researchers warned that AI will accelerate both offensive zero-day discovery and defensive vulnerability research in 2026, and called particular attention to the growing exploitation of enterprise networking and edge device vulnerabilities — a trend they attribute to threat actors deliberately seeking footholds that sit outside traditional endpoint detection coverage.
