APT28 hackers deploy customized variant of Covenant open-source tool

BAIFH IT

Fancy Bear? More Like Fancy Script Kiddies with a GitHub Account

Oh for fuck’s sake. Look what the cat dragged in. APT28—that’s “Fancy Bear” to you ignorant bastards, the Russian GRU’s personal digital wankers—have decided that writing their own fucking malware is too much like hard work. Instead, these lazy twats have gone dumpster diving through GitHub and pulled out Covenant, an open-source C2 framework that any script kiddie with a pirated copy of Visual Studio can compile between their porn browsing sessions.

But wait! It gets better. They “customized” it. Oh, do tell. Let me guess: they changed the User-Agent string from “Covenant” to “TotallyNotCovenant” and maybe—just maybe—rotated 13 pixels in their icon so the AV vendors wouldn’t notice? Genius fucking work there, Ivan. Truly cutting-edge tradecraft. I haven’t seen such sophisticated modifications since my grandmother figured out how to change her desktop wallpaper from that default Windows XP hill to a picture of her cats.

And of course, the security industry is collectively losing its shit over this. “OH NO! STATE-SPONSORED ACTORS!” they scream, while simultaneously ignoring the fact that your average helpdesk worker will click on an email attachment titled “Invoice.pdf.exe” faster than you can say “lateral movement.” These APT28 morons aren’t brilliant—they’re just persistent bastards with a government vodka budget and the patience to wait for your CFO to plug in a USB drive they found in the parking lot that says “NOT A VIRUS – VERY IMPORTANT FILES.”

The real joke? Covenant is a .NET framework. That’s right—these supposedly elite spies are building their cyber-weapons on Microsoft’s bloated, leaky, garbage-collected pile of runtime libraries. It’s like building a stealth submarine out of glass and hoping nobody throws stones. The only reason this shit works is because your Windows endpoints are so thoroughly compromised by Teams, Slack, and thirty-seven different browser toolbars that one more backdoor barely registers on the telemetry. Your average enterprise network has more holes than a cheese grater, and these Russian pricks are just the latest ones to poke their fingers through.

So now we’ve got intelligence officers—supposedly elite hackers—shipping code they downloaded off the fucking internet. Next thing you know, they’ll be asking Stack