The Phantom Net Voxel campaign, attributed to the long-running threat actor APT28, or Fancy Bear, leveraged a sophisticated and stealthy approach to compromise targets, primarily in Ukraine. The campaign’s tactics were designed to be lightweight, resilient, and difficult to detect, making it a significant evolution of the group’s capabilities. Initial access was gained through highly specific social engineering, where attackers used plausible-looking Office documents with titles like “personnel reports” and “logistics receipts” to trick recipients into enabling macros. These files were delivered via private messaging apps and email. When a user enabled macros, the document dropped a malicious DLL for persistence and a PNG image file containing encrypted malicious code, which was a key part of the attack chain.
The use of steganography—the practice of concealing a file within another—was a central element of the campaign. The PNG image files, which appeared innocuous to the casual observer and most scanners, actually hid AES-encrypted shellcode in their pixel data. The malware extracted this hidden data, verified its integrity, and then decrypted it to launch a .NET runtime and execute a Covenant Grunt HTTP stager. This method allowed the attackers to bypass many standard detection systems, as scanners often overlook or trust common image files, allowing the malicious payload to go undetected.
Once the initial stage was complete, the operation transitioned to its second phase, deploying modular implants. The campaign used a C++ backdoor called BeardShell, which connected to legitimate cloud services like Icedrive to receive encrypted commands. This approach of using well-known cloud APIs for command-and-control (C2) allowed malicious traffic to blend in with normal network activity, making it extremely difficult for defenders to block without disrupting essential business operations. A companion implant, SlimAgent, was also used to capture screenshots, log keystrokes, and collect sensitive data, which it then encrypted and stored locally before exfiltrating it.
The attackers employed multiple anti-analysis measures to evade detection and hinder forensic efforts. The malware checked for virtual environments and debugging tools, terminating itself if it detected a sandbox, a common tactic to avoid analysis. The phishing pages included CAPTCHAs and developer tool blockers to prevent automated crawlers and researchers from accessing them. Additionally, the attackers only decrypted strings and configuration values at runtime, which reduced the malware’s static footprint and made it harder for security tools to identify.
Three core design decisions made this campaign particularly effective. First, the steganographic staging provided a high level of stealth by hiding malicious code in seemingly harmless PNG files. Second, the use of cloud-based C2 channels complicated defensive efforts and takedowns, as blocking services like Icedrive would also affect legitimate users. Finally, the COM hijack persistence, which loaded the malicious DLL under explorer.exe, allowed the malware to maintain execution in a trusted system process, bypassing many antivirus hooks and maintaining a persistent foothold on the compromised machine.
Reference:
