Covenant Grunt
Covenant Grunt is a .NET implant associated with the open-source Covenant command-and-control framework. In the provided reporting, it is described as an in-memory remote-control implant that gives attackers full command-and-control over a victim system and is used to maintain long-term access. Multiple sources in the content link its deployment to APT28/Fancy Bear/UAC-0001 campaigns, especially Operation Neusploit and related activity exploiting Microsoft Office vulnerability CVE-2026-21509 against targets in Ukraine and other European countries, including government, defense, transportation, diplomatic, military, maritime, and transport organizations. Reported infection chains used weaponized RTF or Word documents, localized spear-phishing lures, WebDAV-based retrieval, LNK-based stages, COM hijacking, DLL proxying, anti-analysis checks, and PNG steganography. In the PixyNetLoader chain, shellcode hosted the .NET CLR in memory and loaded an embedded Covenant Grunt assembly; one analyzed sample used the Filen API as a C2 bridge, with reporting also noting abuse of filen.io cloud storage for command-and-control to blend malicious traffic with legitimate activity. The content explicitly associates Covenant Grunt with PixyNetLoader and, in some campaigns, with the NotDoor/MiniDoor infection chain. High-confidence behavioral details directly stated in the content include in-memory execution of an embedded .NET assembly, command-and-control capability, use as a final-stage implant, and use of the Filen API/C2 bridge in at least one sample. The content also notes that reports included file hashes for RTF exploit samples, PixyNetLoader, and CovenantGrunt as indicators of compromise, but no specific hashes are provided here.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Threat hunters have also charted the evolution of PixyNetLoader, a malware loader attributed to APT28 in connection with campaigns exploiting a Microsoft Office vulnerability (CVE-2026-21509), to extract a COVENANT Grunt implant.
CVE-2026-21513 zero-day: Exploited at least 11 days before the February 10, 2026 patch release... By combining zero-day exploitation (CVE-2026-21513) with rapid weaponization of newly disclosed vulnerabilities (CVE-2026-21509)... Immediate mitigations Patching: Prioritize the remediation of both CVE-2026-21509 and CVE-2026-21513 across the entire fleet immediately.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Threat hunters have also charted the evolution of PixyNetLoader, a malware loader attributed to APT28 in connection with campaigns exploiting a Microsoft Office vulnerability (CVE-2026-21509), to extract a COVENANT Grunt implant.
The exploitation delivers a multi-stage infection chain culminating in the NotDoor Outlook backdoor and Covenant Grunt implants.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesIn these attacks, phishing emails with geopolitically-charged narratives related to transnational weapons smuggling, military training programs, and meteorological emergency bulletins contain weaponized documents that exploit CVE-2026-21509...
Proofpoint telemetry observed CVE-2026-21509 in targeted spear-phishing campaigns delivering weaponized document attachments with high-fidelity institutional lures — official letterheads, bilingual formatting, ministerial seals.
Execution
4 techniques"The shellcode employs CLR hosting to load and execute an embedded .NET assembly in-memory: a Covenant Grunt implant..."
The main purpose of this 64-bit shellcode is to load a .NET assembly embedded inside it. In order to load a managed assembly from native code, the shellcode uses the CLR hosting technique.
CVE-2026-21509, a remote code execution vulnerability in Microsoft Office affecting RTF and OLE document processing... weaponized the flaw in malicious RTF files targeting Ukrainian government agencies and European defense, transportation, and diplomatic entities.
이들은 스피어피싱 문서, LNK 기반 익스플로잇, WebDAV 외부 호출, COM 하이재킹, 스테가노그래피 등 복잡한 다단계 로딩 체인을 활용해 탐지를 우회하고 최종적으로 Covenant Grunt 등 원격제어 임플란트를 설치해 장기간 내부 장악력을 유지했다.
Persistence
2 techniquesThey employed complex multi-stage loading chains—including spear-phishing documents, LNK-based exploits, WebDAV external calls, COM hijacking...
Privilege Escalation
3 techniquesThe entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts
They employed complex multi-stage loading chains—including spear-phishing documents, LNK-based exploits, WebDAV external calls, COM hijacking...
Stealth
4 techniquesThe entire chain is designed for resilience and evasion, utilizing encrypted payloads... Zscaler said... similar techniques, including... XOR string encryption techniques...
The primary responsibility of the loader is to parse shellcode concealed using steganography within the image and execute it.
The entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts
Calls _AppDomain::Load_3 to load the .NET assembly passed via SafeArray, enabling in-memory execution of the .NET assembly.
Command and Control
7 techniquesCloud storage services (notably filen.io) serve as C2 infrastructure, blending malicious traffic with normal enterprise activity.
In this sample, the implant uses the Filen API as a C2Bridge to communicate and receive tasks from the threat actor.
“the implant uses the Filen API as a C2Bridge to communicate and receive tasks from the threat actor. This abuse of legitimate APIs…”
“Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener.”
"Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener"
GammaPhish is designed to deploy GammaLoad first
Ultimately, they installed remote control implants like Covenant Grunt to maintain long-term internal control.
Exfiltration
2 techniquesThey employed complex multi-stage loading chains—including spear-phishing documents, LNK-based exploits, WebDAV external calls...
"It uses a legitimate cloud service called Filen to communicate with the hackers, making the stolen data look like regular, harmless internet traffic."
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An implant delivered by PixyNetLoader in APT28 campaigns exploiting a Microsoft Office vulnerability.
An implant delivered in the final stage of the observed exploitation chain following weaponized Office document attacks.
APT28이 다단계 로딩 체인 끝에 설치한 원격제어 임플란트로, 장기적인 내부 장악과 원격 명령 수행에 사용된다.
Remote control implant used by APT28 for long-term persistence and internal control after exploitation of Microsoft Office and MSHTML zero-days.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.