DRILLAPP Backdoor Targets Ukraine, Exploits Microsoft Edge Bug Fix for Stealth Espionage
Ukrainian businesses have emerged as victims of a new campaign possibly orchestrated by Russian-linked terror actors, according to a report by S2 Grupo’s LAB52 intelligence team.
The campaign, which was observed in February 2026, was tested for overlap with a previous campaign by Laundry Bear (also known as UAC-0190 or Void Blizzard) targeting Ukrainian security forces and the malware family known as PLUGGYAPE.
The attack operation “uses a variety of forensic and forensic techniques to install a JavaScript-based backdoor that runs on the Edge browser,” the cybersecurity firm said. Named in code DRILLAPPThe malware is able to upload and download files, use the microphone, and take pictures with a web camera by using web browser features.
Two different versions of the campaign have been identified, the first iteration was discovered in early February by using a Windows shortcut (LNK) file to create an HTML Application (HTA) in a temporary folder, then uploading a remote script hosted on Pastefy, an official paste service.
For persistence, LNK files are copied to the Windows Startup folder to launch automatically after system restart. The attack chain then displays a URL containing malware related to installing Starlink or a Ukrainian charity called the Come Back Alive Foundation.
The HTML file is finally executed through the Microsoft Edge browser in headless mode, which then loads a remote script hosted on Pastefy.
The browser is used with additional parameters such as -no-sandbox, -disable-web-security, -allow-file-access-from-files, -use-fake-ui-for-media-stream, -auto-select-screen-capture-source=true, and -disable-user-media-security, to properly provide the system microphone, access it and access it to the system microphone. or any user interaction.
The artifact essentially acts as a lightweight backdoor to facilitate file system access and capture audio from microphones, video from the camera, and device screen images across the browser. It also generates a device fingerprint using a technique called canvas fingerprinting when it is first used and uses Pastefy as a dead drop resolver to download the WebSocket URL used for command-and-control communication (C2).
The malware transmits device fingerprint data and the victim’s country, which is determined from the device’s time zone. It specifically checks if the time zones are compatible with UK, Russia, Germany, France, China, Japan, US, Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If not, switch to US
The second version of the campaign, seen in late February 2026, checks for LNK files in the Windows Control Panel modules, while keeping the infection sequence intact. Another notable change involves the backdoor itself, which is now enhanced to allow for repetitive file counting, batch file uploads, and arbitrary file downloads.
“For security reasons, JavaScript does not allow remote downloading of files,” LAB52 said. “That’s why attackers use the Chrome DevTools Protocol (CDP), an internal protocol of Chromium-based browsers that can only be used if the -remote-debugging-port parameter is enabled.”
The backdoor is believed to be in the early stages of development. An early variant of the malware found in the wild on January 28, 2026, was only seen linking to the domain “gnome[.]com” instead of downloading the first paid package from Pastefy.
“One of the most notable is the use of a browser to install a backdoor, which suggests that attackers are exploring new ways to avoid detection,” said a Spanish security vendor.
“The browser has an advantage in this type of activity because it is a common and generally unsuspicious process, it provides extended capabilities accessible through debugging parameters that allow unsafe actions such as downloading remote files, and it provides legitimate access to sensitive resources such as a microphone, camera, or screen recording without triggering immediate alerts.”
