This spy tool has been quietly stealing data for years

ESET researchers have traced the resurgence of Sednit through a modern toolkit built around two complementary implants, BeardShell and Covenant, each relying on a separate cloud provider to ensure operational resilience. This dual-implant architecture has enabled sustained surveillance of Ukrainian military personnel since at least April 2024. The Sednit group itself was tied to Unit 26165 of the GRU by the US Department of Justice in 2016, identifying it as part of Russia’s Main Intelligence Directorate.

A spy tool hiding in plain sight

ESET’s account of modern Sednit activities begins with SlimAgent, an espionage implant discovered on a Ukrainian governmental machine by CERT-UA in April 2024. SlimAgent is a simple yet efficient spying tool capable of logging keystrokes, capturing screenshots, and collecting clipboard data.

Within its telemetry ESET identified previously unknown samples with code similar to SlimAgent, which were deployed as early as 2018 – six years before the Ukrainian case – against governmental entities in two European countries. Thus, SlimAgent appears to be an evolution of the Xagent keylogger module, which has been deployed as a standalone component since at least 2018. Xagent is a custom toolset used exclusively by the Sednit group for more than six years.

BeardShell: Cloud storage turned spy channel

SlimAgent was not the only implant found on the Ukrainian machine in 2024; BeardShell – a much more recent addition to Sednit’s custom arsenal – was deployed there as well.

BeardShell is a sophisticated implant capable of executing PowerShell commands within a .NET runtime environment, while leveraging the legitimate cloud storage service Icedrive as its Command & Control channel. The shared use of a rare obfuscation technique, combined with its co-location with SlimAgent, leads ESET to assess with high confidence that BeardShell is part of Sednit’s custom arsenal.

Covenant: The open-source tool repurposed for espionage

Since the initial 2024 case, Sednit continued deploying BeardShell through 2025 and into 2026, primarily in long-term espionage operations targeting Ukrainian military personnel.

To maintain persistent access to these high-value targets, Sednit systematically deploys another implant alongside BeardShell: Covenant, the final component of its modern arsenal. Covenant is an open-source .NET post exploitation framework and provides over 90 built-in tasks, supporting capabilities such as data exfiltration, target monitoring, and network pivoting.

Since 2023, Sednit developers have made a number of modifications and experiments with Covenant to establish it as their primary espionage implant, keeping BeardShell mainly as a fallback in case Covenant encounters operational issues, such as the takedown of its cloud-based infrastructure.

Sednit has successfully relied on Covenant for several years, particularly against selected targets in Ukraine. For instance, in 2025, our analysis of Sednit-controlled Covenant cloud drives revealed machines that had been monitored for more than six months. In January 2026, Sednit also deployed Covenant in a series of spearphishing campaigns exploiting the CVE 2026 21509 vulnerability, as reported by CERT UA.

The same hands, a decade later

The sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s developers remain fully capable of producing advanced custom implants. Furthermore, the shared code and techniques linking these tools to their 2010-era predecessors strongly suggest continuity within the development team.