Covenant
Covenant is an open-source .NET post-exploitation and command-and-control framework whose implant component is commonly referred to as Grunt. The provided content describes capabilities including creation of PowerShell-based launchers for Grunt installation, HTA files for Grunt deployment, use of WMI to install new Grunt listeners through XSL files or command one-liners, use of SCT files for regsvr32-based installation, and SSL-encrypted command-and-control traffic. It is also described as supporting HTTP Grunts and in one report as a .NET assembly responsible for command-and-control and execution of further tasks from the Covenant framework.
The content repeatedly links Covenant to Russian state-sponsored APT28/Sednit/Fancy Bear/UAC-0001 activity. ESET reported that since April 2024 APT28 has used Covenant together with BeardShell for long-term surveillance of Ukrainian military personnel, and also against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development. Multiple reports state that APT28 heavily modified Covenant for espionage operations, including altered execution flow, deterministic host-based implant identifiers, and new cloud-based communication protocols. The modified implant is referred to as CovenantGrunt in some reporting. Since July 2025, APT28 used Filen for Covenant command-and-control; earlier reporting also states attackers customized Covenant to route encrypted C2 traffic through Koofr and Icedrive. CERT-UA and partners found Covenant alongside related tooling such as BeardShell and NotDoor in incidents attributed to the same adversary.
The content also places Covenant in a January 2026 exploitation chain using Microsoft Office vulnerability CVE-2026-21509. In that campaign, spear-phishing DOC/RTF lures triggered WebDAV retrieval of additional payloads, leading to a loader chain involving SimpleLoader, EhStoreShell.dll, and SplashScreen.png. Shellcode extracted from the PNG launched a modified Covenant implant in memory. Persistence and execution details directly mentioned include COM hijacking of CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} and a scheduled task named OneDriveHealth used to restart explorer.exe and trigger the hijacked COM object. The modified Covenant implant used filen.io cloud storage as management or command-and-control infrastructure over HTTPS, with one report describing a handshake using a 2048-bit RSA key pair and AES-256 session key exchange through Filen folders. Reported post-exploitation behavior included .NET assembly loading, PowerShell execution, output streaming, encrypted result uploads, reconnaissance with arp.exe, systeminfo.exe, and tracert.exe, and process injection into svchost.exe.
Additional indicators and infrastructure explicitly mentioned in the content include filen.io and related Filen domains, attacker delivery domains such as freefoodaid.com, wellnesscaremed.com, wellnessmedcare.org, and longsauce.com, IPs 159.253.120.2, 193.187.148.169, and 23.227.202.14, and file hashes associated with the 2026 chain including EhStoreShell.dll SHA-256 52b6fb40e7efb09c2bebe8550178e7e30009600bdedd1acae085d753761b7598 and SplashScreen.png SHA-256 c4389cc34b672c4f885547f413bf38575e6ee2b23a0ddfdd306a69c1775db6fc. The content also notes broader use of Covenant by operators as a publicly available offensive framework and references its deployment in Azure abuse scenarios where a PowerShell launcher starts a Grunt implant that connects back to an external Covenant C2 server and runs as LocalSystem.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...що, в свою чергу, забезпечить запуск на комп'ютері програмного засобу (фреймворку) COVENANT. Слід звернути увагу на той факт, що в якості інфраструктури для управління COVENANT використовує легітимне хмарне сховище Filen (filen.io).
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This campaign features a multi-stage infection chain and novel payloads, including a simple initial loader, an Outlook VBA backdoor (NotDoor), and a modified Covenant implant ("CovenantGrunt" [7]).
"...execute payloads based on Donut and the Covenant post-exploitation framework."
The attackers also customized the Covenant red-team framework to route encrypted command-and-control traffic through Koofr and Icedrive cloud services, making detection difficult.
In the recent attacks, the Russian threat group paired BeardShell with a heavily modified version of the open-source Covenant .NET post-exploitation framework.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueелектронних листів із вкладенням у вигляді DOC-файлу "BULLETEN_H.doc". Згаданий лист було відправлено на більше ніж 60 електронних адрес переважно центральних органів виконавчої влади України.
Execution
9 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
...створення запланованої задачі "OneDriveHealth". Заплановане виконання задачі призведе до термінації та повторного запуску процесу explorer.exe...
Silent Cartographer is simply an exercise in identifying the application in play (Covenant), researching any known exploits against it, retooling the published POC, executing the POC, and handling the incoming reverse shell.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. ... RogueRobin uses regsvr32.exe to run a .sct file for execution.
Відкриття документу за допомогою програми Microsoft Office призводить до встановлення мережевого з'єднання із зовнішнім ресурсом... DOC-файл "Consultation_Topics_Ukraine(Final).doc", що містив експлойт для ... CVE-2026-21509.
подальшого завантаження файлу із заголовком файлу ярлика, який містить програмний код, призначений для завантаження та запуску виконуваного файлу.
Annotations ID Technique Tactic T1204.003 Malicious Image Execution Default Configuration
Persistence
1 techniquePrivilege Escalation
2 techniques...створення запланованої задачі "OneDriveHealth". Заплановане виконання задачі призведе до термінації та повторного запуску процесу explorer.exe...
If a user can fabricate a JWT by using the leaked JWT secret key, they can arbitrarily assign themselves admin-level credentials, log in, and wreak havoc on the server.
Stealth
5 techniquesThis is a .NET assembly responsible for C&C and executing further tasks from the Covenant framework. It is heavily obfuscated with randomized function names to hinder static analysis.
...файлу-зображення з шелкодом "SplashScreen.png"... який здійснить виконання шелкоду з файлу-зображення...
Multiple actors and malware families are described as using mshta/mshta.exe (including renamed mshta.exe) to execute malicious scripts/HTA/HTML/VBScript/JavaScript, download and run payloads from remote servers, and in one case help schedule tasks for persistence.
AppleSeed can call regsvr32.exe for execution. APT19 used Regsvr32 to bypass application control techniques. APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. ... Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.
Background: Reflection # In .NET, reflection is the runtime feature that lets code discover and use types, methods, and load assemblies dynamically. Legitimate software uses it for plugins, dynamic loading, and tooling - but for attackers it is a defence evasion technique, similar to injection, but for managed code. They can load assemblies straight from bytes in memory, resolve method names on the fly, and execute payloads more discreetly.
Credential Access
1 techniqueCovenant versions prior to 0.5 all had the same JWT secret key in default builds. The JWT in Covenant is used to authenticate users to the Covenant web UI... If a user can fabricate a JWT by using the leaked JWT secret key, they can arbitrarily assign themselves admin-level credentials, log in, and wreak havoc on the server.
Discovery
1 techniqueThe content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Command and Control
8 techniquesRecorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
...в якості інфраструктури для управління COVENANT використовує легітимне хмарне сховище Filen (filen.io).
The malware abuses the legitimate end-to-end encrypted cloud storage service Filen.io for C&C communications. By leveraging this trusted service, the malicious traffic blends in with normal encrypted web traffic, effectively bypassing reputation-based filtering and firewall rules.
The Custom Script Extension ... downloads a script from a user-specified location (e.g. URL, blob storage, etc.) and then executes the script on a running Azure Windows or Linux VM.
Cobalt Strike uses a command-line interface to interact with systems. Brute Ratel C4 can use cmd.exe for execution. Havoc can execute commands via cmd.exe. Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
Exfiltration
1 techniqueвідкриття документу ... призводить до встановлення мережевого з'єднання із зовнішнім ресурсом з використанням протоколу WebDAV, подальшого завантаження файлу із заголовком файлу ярлика
Other
2 techniquesIOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
51 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An implant used by Sednit against Ukrainian military personnel and drone-related organizations.
An offensive .NET framework referenced here as the basis for the modified CovenantGrunt implant used for fileless post-exploitation and cloud-based C2.
Mentioned as an open-source offensive framework used in place of bespoke malware development.
An offensive .NET framework whose Grunt Stager is used here as the PRISMEX stager for command-and-control and task execution, heavily obfuscated and executed in memory.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.