In a recent development, various Ukrainian entities have been targeted by a new cyber campaign, reportedly orchestrated by Russian-affiliated threat actors, as per LAB52, the threat intelligence division of S2 Grupo. The campaign, traced back to February 2026, bears similarities to previous attacks by the group known as Laundry Bear (also referred to as UAC-0190 or Void Blizzard), which had previously targeted the Ukrainian defense sector with a malware family called PLUGGYAPE.
Technical Details of the DRILLAPP Backdoor
The current attack employs judicial and charity-themed lures to deliver a JavaScript-based backdoor, operating through the Microsoft Edge browser. The malware, dubbed DRILLAPP, has capabilities including file uploads and downloads, microphone access, and webcam image capture, utilizing the browser’s functionalities to maintain stealth.
According to cybersecurity experts, two different versions of this campaign have been discovered. The first, detected in early February, utilizes a Windows shortcut (LNK) file to create an HTML Application (HTA) in the system’s temporary folder. This leads to the execution of a remote script hosted on Pastefy, a legitimate paste service, ensuring persistence by placing LNK files in the Windows Startup folder.
Advanced Evasion Techniques
The Microsoft Edge browser is executed in headless mode, along with parameters that grant it extensive system access. These parameters enable file system access, camera, microphone, and screen capture capabilities without alerting the user. The HTML file initiates the loading of a remote, obfuscated script, furthering the attack’s stealth and effectiveness.
DRILLAPP also employs canvas fingerprinting to create a unique device fingerprint, which is sent along with the victim’s location data, inferred from the device’s time zone. The malware checks for time zones corresponding to major countries, defaulting to the U.S. if no match is found. This helps in tailoring the attack to specific geopolitical targets.
Evolution and Future Implications
A second version of the campaign, identified in late February 2026, replaces LNK files with Windows Control Panel modules, though the infection process remains largely unchanged. This version of DRILLAPP has been enhanced to allow recursive file operations and command executions, increasing its potential impact.
LAB52 notes that the backdoor is still under development, with early variants merely communicating with a domain rather than deploying the full payload. The use of a browser as the attack vector highlights a strategic shift by threat actors towards more covert methods of operation.
As this campaign unfolds, the use of browsers for deploying backdoors underscores the need for heightened vigilance. Browsers, being common and generally benign, offer extended capabilities for malicious activities, making them a preferred tool for cyber espionage.
