120 Ukraine Gov Boxes Hacked 8 Yrs—Europe’s 2008 Servers Next Target

TL;DR

• ESET-SlimAgent and Xagent cyber threats detected in Ukraine and Russia, targeting critical infrastructure with malware
• Iran-linked APT28 deploys BeardShell and Covenant implants for long-term espionage against Ukrainian military targets
• AI-powered phishing and deepfakes surge as attackers reduce cost of social engineering by over 95%, per 2026 threat report

🪓 120 Ukraine Gov Endpoints Hijacked: 8-Year GRU SlimAgent Grid Siege

120+ Ukrainian gov boxes pwned for 8 yrs by GRU’s SlimAgent—same malware that siphons your keystrokes while you patch PowerPoint 🪓 68 % code recycle rate=green hacking for Putin. 2 % power dip=just enough to fry a grid. Europe, you’re next—still running Server 2008?

Ukraine’s grid keeps hiccupping because eight-year-old malware is still squatting on government PCs like a drunk uncle who “just needs a minute.”
SlimAgent/XAgent, the GRU’s favorite house-guest, has lived in 120+ Ukrainian ministry boxes since 2018 and is now encrypting its gossip with ChaCha20—because even spies hate ISP snooping.

How it works (spoiler: duct-tape & PowerShell)

• BeardShell, a .NET stowaway, rides in on a poisoned Word doc (CVE-2026-21509).
• Once inside, it phones Icedrive—yes, the same freemium cloud you use for cat pics—exfiltrating screenshots, passwords, and SCADA schematics.
• Covenant’s 90-in-one hacker Swiss-army-knife then impersonates admins, dumps credentials, and schedules reboot-proof tasks.
• Average stay: 180 days, double the old single-implant record.

Impacts in human-sized bites

Lights: ≤2 % of Ukraine’s regional load shed last month after crooks re-configured substations.
Data: 30+ industrial controllers now broadcast plant floor blueprints to Moscow.
Cash: every re-clean costs ~$25 k per endpoint; 120 endpoints → $3 M babysitting bill.
Trust: credential leaks trigger 3,200 spear-phish clones a day—your inbox is next.

Short-to-long-term forecast (mark your calendar)

• Spring 2026: BeardShell 2.0 skips files, lives only in RAM—hello “file-less” hell.
• Late-2026: C2 scatters to Google Drive, Azure Blob, whatever’s cheapest—sink-hole-proof.
• 2027: AI obfuscation expected to raise detection workload 30 %—SOC analysts, buy espresso futures now.

Cheap fixes that actually fit the budget

1. Patch Office today; tomorrow is too late.
2. Block Icedrive at the firewall—users can survive without 50 GB of free crud.
3. Flip PowerShell to ConstrainedLanguage—cripples BeardShell, doesn’t cost a dime.
4. Retire Server 2008 like it’s a mullet: nostalgic, but lethal.

Bottom line: If legacy boxes remain the path of least resistance, Ukraine’s electrons—and everyone else’s—will keep dancing to a Russian playlist. Patch, block, retire, repeat—or stock candles.

💥 200 Ukrainian Military PCs Drained: 12 GB/Month to Icedrive in Iran-Backed APT28 Heist

200+ Ukrainian frontline laptops pwned—12 GB/month siphoned to Icedrive like a leaky bucket in a firefight! 💥 Tehran’s ‘Bear’ recycles 2010 malware & a fresh Office 0-day to keep the taps open. Your tax € fund the bandwidth they hide in. Soldiers—how many more blue-screens before we unplug the cloud?

Iran-linked APT28 rebooted its malware sweat-shop last April and has since parked two digital parasites—BeardShell and Covenant—inside more than 200 Ukrainian military endpoints. The haul: 12 GB of fresh files per month, per implant, all quietly uploaded to Icedrive accounts that look just like any other corporate backup.

How the sneaky duo works

• BeardShell: a PowerShell blob that lives inside .NET, chats with Icedrive (no public API, so they rewrote the client), and hides its chatter behind Xtunnel-style obfuscation.
• Covenant: an open-source post-exploitation Swiss-army knife the group turbo-charged with 90+ tasks, deterministic IDs, and multi-cloud fallback (pCloud, Koofr, Filen).
• Entry ticket: CVE-2026-21509, a remote-code hole in Office docs that’s been exploited since January via spear-phish.

Impacts so far

• Operational secrecy: every keystroke, screenshot and clipped password is HTML-logged → real-time battlefield intel for Tehran.
• Bandwidth camouflage: exfil rides the same TLS tunnels your marketing team uses for cloud storage → SOC barely blinks.
• Credential bloodletting: harvested logins already enable lateral jumps into logistics and shared EU-NATO clouds.

Where this is heading

• Q2-Q3 2026: expect JIT-compiled PowerShell and OneDrive-for-Business pivot → harder to fingerprint, easier to justify as “normal” traffic.
• 2027: modular “C2Bridge” to auto-hop across ten-plus clouds; supply-chain targeting to mess with troop resupply.

Fix-it list (no corporate PowerPoint required)

1. Patch CVE-2026-21509 today; disable Office macros if you still allow them.
2. Flag any outbound TLS to Icedrive/pCloud/Koofr/Filen; 12 GB spikes should scream, not whisper.
3. Drop updated YARA rules for BeardShell’s PowerShell sigs and Covenant’s deterministic IDs—GitHub has drafts, use them.
4. Rotate creds weekly and slam MFA on every account that can read military email.

Cyber-espionage used to mean bespoke zero-days and Bond-villan server farms. APT28 proves recycled open-source tools plus one fresh Office bug are enough to gut a war plan. If your network touches Ukrainian defense data, assume the parasites are already nesting—patch, hunt, kick them out before the next 12 GB shipment clears the digital border.

💸 $30 B AI Scam Tsunami: 95 % Cost Drop Fuels Global Deepfake Plague

95 % cheaper, 100 % nastier: AI now pumps phishing & deepfakes for the price of a pizza 🍕—and your CFO’s still clicking ‘pay’! $25.6 M gone in one Zoom, 47 % of India’s phones already duped. While regulators nap, $30 B vanishes. Ready to mute the machines, or keep footing the bill?

Last Thursday Arup wired $25.6 million because a deepfake CFO said “jump.”
Cost to the crooks? Thirty bucks for a monthly AI-phishing kit and three seconds of scraped audio.
That 95 % price drop turns every bored script-kiddie into a con-artist with a Hollywood budget.

How does this work

Voice cloning needs < 3 s of your “hello?” from TikTok.
Large-language models spin 1 265 % more phishing mails than last year, each tuned with breached HR data.
Cisco’s red-teamers prove 60 % of “safety” guardrails fold after five chat turns—like a bouncer who lets you in if you ask nicely five times.

Impacts

• Wallet: synthetic-ID fraud already siphoned ≥ $30 B since 2023—equal to the GDP of Bolivia.
• Trust: 47 % of Indian mobile users now flinch at every unknown call; Europe clocks +311 % fake-ID loans.
• Boardroom: 94 % of login attempts are bots, so your multi-factor token is just another souvenir.

Institutional response (spoiler: still buffering)

Enterprises lecture staff with 2019-era slide decks that cover < 30 % of today’s scam surface.
EU watermark rules? Pending until 2027—light-years in AI dog-years.
Meanwhile open-source repos drop 200 new malicious models a week, priced at a latte.

Timelines to watch

• Q3-2026: voice-scam volume +30 %; detection false-positives still 12 %—your IT helpdesk drowns.
• 2028: attacker cost plateaus at < 5 % of 2022 levels; social-engineering becomes the default, not the exception.
• 2030: only media with cryptographic birth-certificates gets through—email without it hits the trash like spam from a prince.

The takeaway

When the cost of deception drops below a Netflix subscription, reputation becomes the only currency left.
Start watermarking your Zoom recordings, bind logins to how you type—not what you type—and treat every unexpected “hi, it’s me” like a $25 million question.

In Other News

• Hacker leaks 12GB of personal data from Cal AI, affecting 3 million users after exploiting MyFitnessPal breach
• Mullvad’s GotaTUN WireGuard implementation passes audit with two low-severity padding deviations fixed
• Law enforcement dismantles Tycoon 2FA phishing-as-a-service platform, disrupting 96,000+ phishing victims since 2023
• Prompt injection tops OWASP’s LLM Top 10 as attackers bypass safety filters to extract data and hijack AI agents