SYMBOLCOMMON_NAMEaka. SYNONYMS
win.beardshell (Back to overview)

BEARDSHELL

Actor(s): APT28

VTCollection    

According to CERT-UA, this is a malware developed using the C++ programming language. It provides capabilities for downloading, decryption (chacha20-poly150) and performing PowerShell scripts, as well as uploading the command's results.

References
2026-03-10ESET ResearchESET Research
Sednit reloaded: Back in the trenches
BEARDSHELL GRUNT SLIMAGENT X-Agent XTunnel
2025-09-16SekoiaAmaury G., Charles M., Sekoia TDR
APT28 Operation Phantom Net Voxel
BEARDSHELL GRUNT SLIMAGENT
2025-06-21Cert-UACert-UA
Cyberattacks UAC-0001 (APT28) in relation to public authorities using BEARDSHELL and COVENANT
BEARDSHELL GRUNT SLIMAGENT
Yara Rules
[TLP:WHITE] win_beardshell_auto (20260504 | Detects win.beardshell.)
rule win_beardshell_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.beardshell."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beardshell"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488b4c2430 668944242e 488b542448 e8???????? 668b4c242e 668908 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b4c2430           | sub                 esp, 0x98
            //   668944242e           | dec                 eax
            //   488b542448           | mov                 dword ptr [esp + 0x40], edx
            //   e8????????           |                     
            //   668b4c242e           | dec                 eax
            //   668908               | mov                 eax, edx

        $sequence_1 = { e8???????? 488b4c2440 4c8b442450 4983c001 488b542430 e8???????? 488b8c2480000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b4c2440           | mov                 dword ptr [esp + 0x30], ecx
            //   4c8b442450           | dec                 eax
            //   4983c001             | mov                 eax, ecx
            //   488b542430           | dec                 eax
            //   e8????????           |                     
            //   488b8c2480000000     | mov                 dword ptr [esp + 0x38], eax

        $sequence_2 = { 48894c2428 e8???????? 4889442438 488d0565db0500 4889442430 4c8b442438 488d4c2448 }
            // n = 7, score = 100
            //   48894c2428           | mov                 dword ptr [ebp - 0x18], eax
            //   e8????????           |                     
            //   4889442438           | dec                 eax
            //   488d0565db0500       | mov                 dword ptr [ebp - 0x20], edx
            //   4889442430           | dec                 eax
            //   4c8b442438           | mov                 dword ptr [ebp - 0x28], ecx
            //   488d4c2448           | dec                 eax

        $sequence_3 = { 4531c0 e8???????? 488d4c2458 e8???????? 4889c1 488d542466 e8???????? }
            // n = 7, score = 100
            //   4531c0               | dec                 esp
            //   e8????????           |                     
            //   488d4c2458           | mov                 ebp, ecx
            //   e8????????           |                     
            //   4889c1               | dec                 eax
            //   488d542466           | mov                 eax, dword ptr [ebp + 0x60]
            //   e8????????           |                     

        $sequence_4 = { 4889542410 55 4883ec20 488daa80000000 488d8db0020000 e8???????? 90 }
            // n = 7, score = 100
            //   4889542410           | mov                 edi, dword ptr [esi + 0x10]
            //   55                   | dec                 eax
            //   4883ec20             | mov                 ebx, esi
            //   488daa80000000       | dec                 eax
            //   488d8db0020000       | cmp                 dword ptr [esi + 0x18], 0x10
            //   e8????????           |                     
            //   90                   | jb                  0x4c

        $sequence_5 = { 4c894030 4c8d4520 4c894028 48c7402000000000 4c8d4508 41b918010000 e8???????? }
            // n = 7, score = 100
            //   4c894030             | push                ebp
            //   4c8d4520             | dec                 eax
            //   4c894028             | lea                 ecx, [edx + 0x28]
            //   48c7402000000000     | dec                 eax
            //   4c8d4508             | mov                 ecx, dword ptr [edx + 0x50]
            //   41b918010000         | dec                 eax
            //   e8????????           |                     

        $sequence_6 = { e9???????? 488d4d20 e8???????? 8a00 884517 8b4530 c1e804 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d4d20             | dec                 eax
            //   e8????????           |                     
            //   8a00                 | mov                 dword ptr [esp], ecx
            //   884517               | dec                 eax
            //   8b4530               | mov                 eax, dword ptr [esp]
            //   c1e804               | dec                 eax

        $sequence_7 = { 488b8424e8000000 488b4c2478 4829c8 4883f805 0f8d2a000000 488b4c2438 c78424e400000084000000 }
            // n = 7, score = 100
            //   488b8424e8000000     | mov                 edx, dword ptr [esp + 0x30]
            //   488b4c2478           | ret                 
            //   4829c8               | dec                 eax
            //   4883f805             | sub                 esp, 0x48
            //   0f8d2a000000         | inc                 esp
            //   488b4c2438           | mov                 byte ptr [esp + 0x40], al
            //   c78424e400000084000000     | dec    eax

        $sequence_8 = { e8???????? 837c244000 0f8e54000000 488b8424a8000000 4889842480000000 4c8b8c2480000000 488d0d43340b00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   837c244000           | dec                 eax
            //   0f8e54000000         | cmp                 dword ptr [ebp + 0x18], 8
            //   488b8424a8000000     | dec                 eax
            //   4889842480000000     | cmovae              eax, dword ptr [ebp]
            //   4c8b8c2480000000     | dec                 eax
            //   488d0d43340b00       | lea                 eax, [eax + ecx*2]

        $sequence_9 = { e9???????? f644245701 0f842f000000 48b80000000000000800 4839442438 0f851a000000 488d05905b0c00 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   f644245701           | cmp                 eax, dword ptr [ecx + 8]
            //   0f842f000000         | je                  0x159
            //   48b80000000000000800     | dec    eax
            //   4839442438           | mov                 eax, dword ptr [esp + 0x30]
            //   0f851a000000         | dec                 eax
            //   488d05905b0c00       | mov                 ecx, dword ptr [eax + 8]

    condition:
        7 of them and filesize < 2416640
}
Download all Yara Rules