Russia’s APT28 has resurfaced in mid-2025 with a sophisticated spear-phishing campaign that weaponizes Office documents to deploy two novel payloads: BeardShell, a C-based backdoor leveraging IceDrive as a command-and-control channel, and Covenant’s HTTP Grunt Stager, which communicates via the Koofr cloud API.

These malicious documents are distributed through private Signal chats, exploiting the application’s lack of Mark-of-the-Web protection to slip past Microsoft Office security mechanisms.

Targets receive messages mimicking internal legal or administrative notifications, complete with urgent prompts to open embedded documents that carry hidden macros.

Upon opening, the lure document automatically switches to Print Layout before executing a Visual Basic for Applications (VBA) macro that performs environment checks, deobfuscates payloads, and establishes persistence.

Sekoia analysts noted that the primary macro performs a COM hijack by dropping a DLL (prnfldr.dll) alongside a benign-looking PNG file (windows.png) and registering the DLL under the CLSIDPrinters registry key.

It then invokes regsvr32.exe with the /i parameter to trigger the DLL’s installation routine, ensuring execution even without a system reboot.

Once loaded by Explorer.exe, prnfldr.dll proxies legitimate print functions and spawns a secondary thread to extract an AES-encrypted shellcode blob from the least significant bits of each pixel in windows.png.

This technique embeds 20 bytes of size and hash metadata followed by a 32-byte key, 16-byte IV, and encrypted content within the PNG image data.

After decryption, the shellcode initializes the Common Language Runtime and loads the Covenant .NET assembly, establishing an HTTP-based C2 channel with the Koofr infrastructure.

Infection Mechanism Deep Dive

The second stage reveals an ingenious use of digital steganography. The shellcode reads windows.png, extracts the embedded payload, and calls the following functions to launch the Covenant Grunt Stager:

HRESULT hr;
ICLRMetaHost *pMetaHost = NULL;
pMetaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, (LPVOID*)&pRuntimeInfo);
pRuntimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_ICorRuntimeHost, (LPVOID*)&pCorRuntimeHost);
pCorRuntimeHost->Start();
pCorRuntimeHost->ExecuteInDefaultAppDomain(L"C:\\path\\GruntHTTPStager.dll",
                                           L"EntryPoint", L"Execute",
                                           NULL, &hr);

Once active, Covenant’s HTTP Grunt module communicates exclusively through Koofr’s API, creating “Keeping” and “Tansfering” folders to upload reconnaissance data and download new modules.

The implant uses hybrid encryption to exchange session keys and orchestrates command execution via Covenant Tasks, uploading output as files before deleting them to minimize forensic artifacts.

Meanwhile, BeardShell operates independently as a C DLL. It initializes the CLR to load the System.Management.Automation assembly and exposes a JSON-based interface for seven PowerShell-centric commands.

Every four hours, BeardShell polls an IceDrive directory named by an FNV4 hash of host attributes.

It uploads SystemInfo results to IceDrive and awaits operator-supplied JSON command files, which it decrypts and executes before returning output to the storage root. Commands follow the schema:

{"taskid":0,"cmdid":2,"data":{"id":0,"cmd":"ipconfig /all"}}

This dual-payload strategy demonstrates APT28’s evolving use of open-source frameworks and legitimate cloud services for covert communications.

Embedding steganographic payloads in PNG files and leveraging multiple cloud channels significantly complicates detection and response, underscoring the need for enhanced steganography detection and cloud API monitoring.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post APT28 With Weaponized Office Documents Delivers BeardShell and Covenant Modules appeared first on Cyber Security News.

A sophisticated rootkit targeting GNU/Linux systems has emerged, leveraging advanced eBPF (extended Berkeley Packet Filter) technology to conceal malicious activities and evade traditional monitoring tools.

The threat, known as LinkPro, was discovered during a digital forensic investigation of a compromised AWS-hosted infrastructure, where it functioned as a stealthy backdoor with capabilities ranging from process hiding to remote activation via magic packets.

The infection chain began with a vulnerable Jenkins server (CVE-2024-23897) exposed to the internet.

Threat actors deployed a malicious Docker image named kvlnt/vv across several Amazon EKS Kubernetes clusters, containing a VPN proxy tool, a downloader malware called vGet, and the LinkPro rootkit.

The Docker configuration allowed full filesystem access with root privileges, enabling container escape and credential harvesting from other pods.

SynAcktiv researchers identified LinkPro as an undocumented backdoor developed in Golang. The rootkit operates in two modes: a passive reverse mode listening for commands after receiving a specific TCP magic packet, and an active forward mode initiating direct command-and-control communication.

Its dual-layer stealth approach relies on two eBPF modules for concealment, but automatically falls back to hijacking the dynamic linker through /etc/ld.so.preload when kernel configurations lack the required CONFIG_BPF_KPROBE_OVERRIDE option.

The rootkit achieves persistence by masquerading as the legitimate system-resolved service, creating a deceptive system unit file at /etc/system/system/systemd-resolveld.service.

The malicious binary is copied to /usr/lib/.system/.tmp~data.resolveld, with timestamps modified to match system files.

The Hide eBPF module intercepts critical system calls including getdents and sys_bpf using tracepoints and kernel return probes, effectively hiding files, processes, and its own eBPF programs from enumeration tools.

Advanced Network Manipulation Through eBPF

The Knock eBPF module demonstrates sophisticated network manipulation techniques. Using XDP (eXpress Data Path) and TC (Traffic Control) programs, LinkPro monitors network traffic for a magic packet—a TCP SYN packet with a window size of 54321.

Upon detection, the xdp_ingress program stores the source IP in a knock_map with a one-hour expiration window and dynamically rewrites incoming packet headers to redirect traffic from any external port to LinkPro’s internal listening port 2233.

if (tcph->syn && tcph->window == bpf_htons(MAGIC_WIN)) {
    __u64 exp = bpf_ktime_get_ns() + WIN_NS;
    bpf_map_update_elem(&knock_map, &sip_h, &exp, BPF_ANY);
    return XDP_DROP;
}

The complementary tc_egress program ensures outgoing responses have their source ports rewritten back to original values, creating a seamless tunnel that bypasses firewall rules.

Once operational, LinkPro provides comprehensive remote access including interactive shell sessions, file management operations, SOCKS5 proxy tunneling, and file exfiltration via Base64-encoded chunks.

The malware supports multiple protocols including HTTP, WebSocket, TCP, UDP, and DNS tunneling, with exchanges encrypted using XOR operations. Organizations should monitor for suspicious systemd service files and unusual eBPF program activity to detect such threats.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post LinkPro Rootkit Attacking GNU/Linux Systems Using eBPF Module to Hide Malicious Activities appeared first on Cyber Security News.