Depositphotos
The Signal messenger has become an attack target for Ukrainian government targets. Russian hackers are hiding a new family of malware behind ordinary files.
The state Russian hacker group APT28 uses Signal chats to attack with two previously undocumented malware families, BeardShell and SlimAgent. It should be noted that this is not a Signal security issue. The method is based on the use of new software and human error.
The first attacks were detected in March 2024 by the Ukrainian computer and emergency response service CERT-UA, although information was limited at the time. More than a year later, in May 2025, ESET notified CERT-UA of unauthorized access to the gov.ua email account, which raised the profile of the problem.
During a new investigation, CERT-UA found that messages in the encrypted Signal messenger were used to send a malicious document (Act.doc) with macros to download the resident Covenant backdoor. The latter downloads the malware in the PlaySndSrv.dll file and a WAV file with shellcode (sample-03.wav) that loads BeardShell, a previously undocumented C++ malware. The downloaders and the main malicious payload are protected by hijacking COM components in the Windows registry.
The main functionality of BeardShell is to download PowerShell scripts, decrypt them with «chacha20-poly1305», and execute them. The results of execution are transferred to the command and control (C2) server, which is connected to the Icedrive API.
During the 2024 attacks, CERT-UA also discovered a screenshot capture program called SlimAgent, which takes screenshots using a number of Windows API functions (EnumDisplayMonitors, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt, GdipSaveImageToStream). These images are encrypted with AES and RSA and stored locally, presumably for extraction by a separate tool. CERT-UA links this activity (UAC-0001) to APT28. These Russian hackers have a long history of attacking Ukraine and key US and European institutions, mostly for cyber espionage.
In 2025 Signal is at the center of cyberattacksrelated to the Russia and Ukraine. At one point, Ukrainian officials expressed frustration that Signal had allegedly stopped cooperating with them in blocking Russian attacks. Signal President Meredith Whittaker said that the platform had never shared data with Ukraine or any other government.
Source: BleepingComputer, CERT-UA