Grunt

Grunt is an implant associated with the open source Covenant command-and-control framework. The provided content places it in post-exploitation and espionage contexts rather than as a standalone malware family with uniquely described functionality. Mandiant reported that FIN12 intermittently used GRUNT during 2020 as one of several post-exploitation tools alongside Cobalt Strike BEACON, METERPRETER, ANCHOR, and GRIMAGENT after the group’s 2020 hiatus. In separate reporting on Russia-linked APT28/Fancy Bear activity, Zscaler observed a 2026 phishing campaign exploiting CVE-2026-21509, a Microsoft Office/Microsoft 365 vulnerability that bypasses OLE mitigations via malicious RTF documents. In one observed infection chain, exploitation led to download of a malicious dropper DLL, then a previously undocumented loader named PixyNetLoader, which staged additional payloads including a Covenant Grunt implant. That campaign targeted users in Central and Eastern Europe, including Ukraine, Slovakia, and Romania, with lures in Romanian, Ukrainian, and English; Zscaler also noted observed Covenant Grunt samples abusing the Filen cloud storage API for C2 communication. Additional timeline content references GRUNT in connection with APT28’s 2025 Operation Phantom Net Voxel alongside BEARDSHELL and SLIMAGENT. High-confidence capabilities directly supported by the content are that Grunt functions as a Covenant C2 implant used for post-exploitation and command-and-control within broader intrusion chains.