Pierluigi Paganini
March 16, 2026
A new DRILLAPP backdoor campaign targets Ukrainian organizations, abusing Microsoft Edge debugging to evade detection. Observed in February 2026, it shows links to previous Russian-aligned operations by Laundry Bear APT group (aka UAC-0190, Void Blizzard) using the PLUGGYAPE malware family against Ukrainian defense forces, indicating ongoing espionage efforts.
“Certain tactics shared with a Laundry Bear campaign reported by CERT-UA in January have been observed, resulting in the activity being attributed to this group with low confidence. These include the use of charity‑themed lures or the hosting of operational artifacts on public text‑sharing services.” reads the report published by LAB52, the intelligence team at S2 Group.
The first DRILLAPP variant, seen in early February, spreads via LNK files that create HTML files in the temp folder, loading obfuscated scripts from pastefy.app. Lures range from Starlink installation images to Come Back Alive charity requests.
Executing Microsoft Edge in headless mode with relaxed security, it grants access to files, microphone, camera, and screen. It generates a hashed device fingerprint, detects select time zones, and connects to a WebSocket C2 for remote control.
“The browser is executed in headless mode, enabling a series of parameters such as –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security. These settings allow local file access and automatically grant permissions for the camera, microphone, and screen capture without user interaction.” continues the report. “Using deobfuscation techniques, it has been possible to partially recover the code of the artifact, which functions as a lightweight backdoor allowing the attacker to access the file system and record audio from the microphone, video from the camera, and the device’s screen, all through the browser.”
The second variant, detected in late February 2026, replaces LNK files with CPL files, Control Panel modules that act as executable DLLs. Despite this change, the behavior remains similar. Lures include a weapons seizure report and a document from the Southern Office of Ukraine’s State Audit Service displayed via the National Guard’s website.
The backdoor adds new capabilities such as recursive file listing, batch uploads, and remote file downloads. To bypass JavaScript restrictions on downloading files, attackers leverage the Chrome DevTools Protocol via the remote-debugging port, modifying the download path and injecting a script that simulates a user click to retrieve files from a remote server.
“For security reasons, JavaScript does not allow the remote downloading of files. This is why the attackers use the Chrome DevTools Protocol (CDP), an internal protocol of Chromium‑based browsers that can only be used when the –remote-debugging-port parameter is enabled.” continues the report.
A January 28 sample uploaded from Russia shows a similar infection chain but connects to gnome.com instead of downloading the backdoor. Researchers believe it represents early campaign activity linked to the same threat actor.
“The analysis conducted indicates that DRILLAPP is a recent artifact that is still in an early stage of development. One of the most notable aspects is the use of the browser to deploy a backdoor, which suggests that the attackers are exploring new ways to evade detection.” concludes the report. “The browser is advantageous for this type of activity because it is a common and generally non‑suspicious process, it offers extended capabilities accessible through debugging parameters that enable unsafe actions such as downloading remote files, and it provides legitimate access to sensitive resources such as the microphone, camera, or screen recording without triggering immediate alerts.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, DRILLAPP)
