Jena, March 10, 2026 – The Jena-based IT security company ESET is sounding the alarm: The notorious Russian hacker group Sednit is back with a new, highly sophisticated espionage arsenal. According to expert analyses, the attackers, also known as APT28 or Fancy Bear, are currently focusing particularly on Ukrainian military structures.
- Who: Hacker group Sednit (APT28, Fancy Bear, Forest Blizzard)
- What: New long-term espionage campaigns with highly sophisticated malware (SlimAgent, BeardShell)
- Current Main Target: Ukrainian military personnel
- Known Previous Targets: Deutscher Bundestag, TV5Monde, US Democrats
- Analyzing Company: ESET Deutschland GmbH (Headquartered in Jena)
From the Bundestag Hack to Long-Term Military Espionage
Sednit is considered one of the world’s most powerful hacker groups and is attributed to the Russian military intelligence service GRU. The group gained worldwide notoriety through the large-scale hacker attack on the Deutscher Bundestag, the sabotage of the French broadcaster TV5Monde, and the espionage attacks on the US Democratic National Committee. According to the current ESET report, the group’s developers have massively upgraded their tools in recent months.
Three New Malware Programs in Use
The starting point of the current analysis was a discovery by the Ukrainian emergency team CERT-UA on the computer of a Ukrainian authority in April 2024. The Jena ESET researchers identified a direct further development of earlier espionage tools:
- SlimAgent: A tool that records keystrokes, takes screenshots, and reads the clipboard. It is considered the successor to the Xagent backdoor used in the 2010s.
- BeardShell: This malware abuses the cloud storage service Icedrive as a covert communication channel. Since the data traffic looks like normal cloud usage, classic security filters can be bypassed.
- Covenant: A modified open-source framework that maintains permanent access to target computers via manipulated cloud accounts (such as Filen, Koofr, or pCloud). ESET proved that Ukrainian military computers were monitored in this way for more than six months.
Code Traces Lead to the Past
The technical signature of the developers is particularly revealing for the cybersecurity experts. In BeardShell, the researchers discovered a rare mathematical obfuscation technique that was already used between 2013 and 2016 in the network tool Xtunnel. Such digital fingerprints are considered a strong indication in the analysis of state-sponsored hackers that the same programming team as ten years ago is at work.
Why the group switched to simpler methods between 2019 and 2024 before now using highly complex individual developments again has not been conclusively clarified. ESET researchers suspect that the war of aggression against Ukraine required an expansion of intelligence operations, or that the group simply acted more cautiously in previous years to stay under the radar.
Further Information and Contact
The full technical report „Sednit is back“ can be found by interested parties on the IT security blog Welivesecurity.com.
Contact ESET Deutschland GmbH:
Contact Person: Philipp Plum
Telephone: 03641 3114 141
Email: philipp.plum@eset.com
Website: www.eset.de
Background: IT Location Jena & Cybersecurity
ESET Deutschland GmbH is headquartered in Jena, thereby strengthening the reputation of the Lichtstadt as one of the most important IT and technology locations in Thüringen. Cyber espionage and state-sponsored hacking attacks are generally directed against government institutions, the military, or operators of critical infrastructure. Nevertheless, private individuals and medium-sized companies also benefit from the analyses of large security firms: findings about the methods of professional hackers flow directly into the development of antivirus software and firewalls, which ultimately protect networks worldwide from modern threats. In principle, IT experts advise always installing software updates promptly and exercising extreme caution with email attachments and cloud links from unknown senders.
Source:
Jena – Sie haben den Deutschen Bundestag (https://www.deutschlandfunk.de/was-russland-mit-den-angrif
Transparency Note: This article was created automatically, editorially reviewed, and expanded with AI support.