APT28 Operation Phantom Net Voxel

**Executive summary:** Sekoia.io describes an active, sophisticated APT28 campaign targeting Ukrainian military administration: initial delivery via Signal-delivered weaponized Office documents that execute VBA macros to persist via COM hijack (proxy prnfldr.dll), extract shellcode hidden in PNG images, load a .NET Covenant Grunt stager which uses the Koofr API for C2, and facilitate deployment of the BeardShell backdoor using icedrive; the report includes analysis of SlimAgent spyware found on the same host, extensive IOCs (hashes, filenames, cloud endpoints), YARA rules and Python tooling for detection and analysis.