John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Building custom malware is expensive. So the world’s top state-backed hacking groups have figured out something smarter: just use someone else’s tools.
Two stories this week prove the point.
Russia’s APT28 Grabbed Covenant Off GitHub
Covenant is an open-source command-and-control framework built for legit penetration testing. It’s free, well-documented, and effective. APT28 (Fancy Bear, GRU Unit 26165) grabbed it, customized it just enough to dodge detection, and deployed it against Ukrainian military targets. They paired it with a new malware strain called BEARDSHELL.
Here’s the nasty part. Your SOC analysts might see Covenant traffic on the network and assume it’s an internal pen test. That’s the whole point. When attackers use the same tools your security team uses, signature-based detection falls apart.
North Korea Used AirDrop. Seriously.
North Korean group UNC4899 compromised a cryptocurrency firm after a developer accepted an AirDrop file at a work event. Just… accepted a file from someone nearby. Opened it on a work device. And that was all the foothold they needed.
It’s almost elegant. AirDrop at a conference feels normal. It doesn’t trigger the same alarm bells as a phishing email from a stranger. The attack exploits a social norm, not a software bug.
North Korea’s Lazarus cluster has stolen billions from crypto firms. This shows they’re not just technically sharp. They’re operationally creative in ways that should make you uncomfortable.
Same Playbook, Different Flags
Strip away the specifics and both groups are running the same play. Borrow from ecosystems that defenders trust. Open-source security tools, built-in platform features, software that’s supposed to be safe. Then exploit the gap between what people expect and what’s actually happening.
Detection has to shift from “is this tool on a blocklist” to “is this tool behaving in a way that doesn’t make sense.” Was Covenant traffic initiated outside a scheduled assessment? Did a device start phoning home to an unfamiliar server right after a conference?
That’s harder. But it’s where the advantage lives.
If you use open-source C2 frameworks: Keep a strict inventory. Monitor for unauthorized instances. Covenant traffic outside a scheduled pen test is a red flag.
If you’re in crypto: UNC4899 isn’t slowing down. Train your people to refuse unsolicited file transfers at events. Set AirDrop to “Contacts Only” or just turn it off.
For everyone else: The era of spotting nation-state attacks by looking for exotic malware is fading. The tools are increasingly familiar. Your detection has to get smarter.