"figure 2. each step is implemented in a nearly identical manner, as illustrated in figure 3 with the routine responsible for logging the foreground window ’ s executable ; the only differences lie in the layout of the internal data structures. slimagent includes several features …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.001Keylogging
98%
"##949528d46d20fc0151bf9775c32 ), we were indeed able to find some striking similarities, such as the one shown in figure 4. in this code, the keylogging logic is executed only if the mouse cursor has not moved more than 10 pixels ( by comparing the square of the distance between …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.001Keylogging
97%
"evolution of the xagent keylogger module, which has been deployed as a standalone component since at least 2018. moreover, because xagent is a custom toolset used exclusively by the sednit group for more than six years, we attribute slimagent to sednit with high confidence. this …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.001Keylogging
96%
"operators worked in close coordination. in addition, the 2018 us doj indictment explicitly states that xagent was developed in - house, accusing specific members of gru unit 26165 of being its developers. in this blogpost, we leverage that development footprint as an attribution …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.001Keylogging
91%
"sednit reloaded : back in the trenches since april 2024, sednit ’ s advanced development team has reemerged with a modern toolkit centered on two paired implants, beardshell and covenant, each using a different cloud provider for resilience. this dual ‑ implant approach enabled l…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
89%
"+ 2 on both sides of the equation. the shared use of this rare obfuscation technique, combined with its co ‑ location with slimagent, leads us to assess with high confidence that beardshell is part of sednit ’ s custom arsenal. since the initial 2024 case, sednit has continued de…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
89%
"the entry point. in early 2023 variants, sednit developers even experimented with embedding both stages into a single binary. covenant officially supports only http and smb, which leads to sednit ’ s most significant covenant modification : the addition of a cloud - based network…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
89%
"sednit reloaded : back in the trenches since april 2024, sednit ’ s advanced development team has reemerged with a modern toolkit centered on two paired implants, beardshell and covenant, each using a different cloud provider for resilience. this dual ‑ implant approach enabled l…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.002Tool
78%
"##dnit ’ s covenant abused the legitimate cloud service pcloud, and in 2024 – 2025, koofr, using similar implementations. these adaptations show that sednit developers acquired deep expertise in covenant – an implant whose official development ceased in april 2021 and may have be…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
66%
"not provide a publicly documented api, the developers reimplemented the requests made by the official icedrive client. whenever changes to icedrive ’ s private api disrupt beardshell communications, sednit developers produce an updated version within hours to restore access. a ma…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
65%
"evolution of the xagent keylogger module, which has been deployed as a standalone component since at least 2018. moreover, because xagent is a custom toolset used exclusively by the sednit group for more than six years, we attribute slimagent to sednit with high confidence. this …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
49%
"implant, keeping beardshell mainly as a fallback in case covenant encounters operational issues, such as the takedown of its cloud - based infrastructure. for example, sednit replaced covenant ’ s original implant name - generation mechanism with a deterministic method ( see figu…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
41%
", and documented in our white paper en route with sednit. figure 8 shows an example of obfuscated code from xtunnel ( sha - 1 : 99b454262dc26b081600e844371982a49d334e5e ), with an if statement whose predicate cannot be true. not only is the predicate identical to the one used in …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
The resurgence of one of Russia’s most notorious APT groups