Russian state-sponsored hackers, known as APT28, have been utilizing BEARDSHELL and COVENANT malware to conduct long-term surveillance on Ukrainian military personnel since April 2024. This targeted campaign involves the use of two distinct malware families, allowing APT28 to maintain persistent access to compromised systems. The group, also referred to as Fancy Bear, has been linked to various high-profile attacks, and their involvement in this campaign underscores the geopolitical nature of the threat. The use of BEARDSHELL and COVENANT malware enables APT28 to gather sensitive information, posing a significant risk to Ukrainian military operations. This state-aligned activity shifts the threat model from traditional criminal activity to a geopolitically motivated campaign, requiring a distinct approach to mitigation and defense1. So what matters to practitioners is that APT28's tactics demand a tailored response that accounts for the group's sophisticated capabilities and nation-state backing.