DRILLAPP Backdoor

Cybersecurity analysts have identified a new threat campaign targeting Ukrainian organizations, with indicators suggesting involvement from actors linked to Russia. The activity, first observed in February 2026, shows technical overlaps with a previous operation attributed to the group known as Laundry Bear (also tracked as UAC-0190 or Void Blizzard). That earlier campaign targeted Ukrainian defense forces and deployed a malware family called PLUGGYAPE.

The latest operation introduces a JavaScript-based backdoor executed through the Microsoft Edge browser. The malware, referred to by researchers as DRILLAPP, is designed to exploit browser capabilities in order to upload and download files, access the microphone, and capture images from the victim's webcam.

Attackers rely on social engineering tactics to distribute the malicious components. Lures referencing legal matters or charitable causes are used to encourage victims to open malicious files and initiate the infection chain.

Deceptive Lures and Initial Infection Method

The campaign has been observed in two distinct variants. The first version, detected in early February 2026, uses a Windows shortcut (LNK) file as the initial delivery mechanism. When executed, the shortcut creates an HTML Application (HTA) file within the system's temporary directory. This HTA file then retrieves a remote script hosted on the legitimate paste-sharing service Pastefy.

To maintain persistence on compromised systems, the attackers copy the malicious LNK file into the Windows Startup folder, ensuring it automatically executes after each system reboot. Once the infection chain begins, victims are presented with URLs containing decoy themes, including instructions related to installing Starlink or references to the Ukrainian charity Come Back Alive Foundation.

The HTA file ultimately launches through the Microsoft Edge browser operating in headless mode, allowing the browser to execute the obfuscated script retrieved from Pastefy without displaying a standard browser window.

Exploiting Browser Parameters for Stealth Access

To maximize its capabilities, the malicious process launches the Edge browser with multiple parameters that weaken built-in security protections and enable unauthorized access to sensitive system resources.

These parameters allow the browser instance to bypass typical safeguards and perform actions normally restricted by browser security models. The configuration effectively enables the malware to access local files, capture audio and video streams, and record screen activity without requiring any interaction from the victim.

Key browser parameters used in the attack include:

--no-sandbox

--disable-web-security

--allow-file-access-from-files

--use-fake-ui-for-media-stream

--auto-select-screen-capture-source=true

--disable-user-media-security

By abusing these settings, the browser becomes a functional component of the malware infrastructure rather than merely a delivery platform.

Browser-Based Backdoor and Surveillance Capabilities

The DRILLAPP artifact functions as a lightweight but versatile backdoor. Once active, it enables attackers to interact with the infected system through browser-enabled capabilities, effectively transforming the browser into a remote surveillance tool.

The malware is capable of performing several operations that allow extensive monitoring and data collection from compromised devices.

Core capabilities include:

• Uploading and downloading files from the local system
• Capturing audio through the device microphone
• Recording video through the webcam
• Taking screenshots of the system display
• Generating a unique device fingerprint using canvas fingerprinting techniques

During its first execution, the malware generates a device fingerprint and uses Pastefy as a 'dead-drop resolver' to retrieve a WebSocket address used for command-and-control communications. This architecture allows attackers to dynamically redirect infected systems to their operational infrastructure.

The backdoor also transmits the device fingerprint alongside the victim's inferred geographic location. Location is determined from the system's time zone and checked against a predefined list that includes the United Kingdom, Russia, Germany, France, China, Japan, the United States, Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If the time zone does not match any of these regions, the malware defaults to identifying the system as located in the United States.

Evolving Techniques in the Second Campaign Variant

A second version of the campaign surfaced in late February 2026, introducing several modifications while maintaining the overall attack structure. Instead of relying on LNK shortcut files, the updated variant uses Windows Control Panel modules as the initial delivery mechanism.

The backdoor component itself also received functional upgrades. These enhancements allow the malware to perform deeper file system operations and improve its ability to exfiltrate data from infected environments.

Notable improvements include recursive file enumeration, batch file uploads, and the ability to download arbitrary files directly onto the compromised system.

Bypassing JavaScript Restrictions with Chromium Debugging Tools

Standard JavaScript security restrictions typically prevent remote code from directly downloading files onto a victim's system. To circumvent this limitation, the attackers leverage the Chrome DevTools Protocol (CDP), an internal debugging interface used by Chromium-based browsers.

CDP can only be accessed when the browser is launched with the --remote-debugging-port parameter enabled. By activating this debugging functionality, the attackers gain the ability to control browser behavior programmatically and bypass typical client-side restrictions, enabling remote file downloads that would otherwise be blocked.

Early Development Indicators and Experimental Infrastructure

Evidence suggests that the malware is still under active development. An early variant discovered in the wild on January 28, 2026, communicated exclusively with the domain 'gnome.com' rather than retrieving its primary payload from Pastefy.

This behavior indicates that the threat actors may still be refining both their infrastructure and the operational capabilities of the backdoor.

Browser Abuse as an Emerging Evasion Strategy

One of the most significant aspects of the campaign is the deliberate use of a web browser as the primary execution environment for the backdoor. This approach highlights a growing trend in which attackers repurpose legitimate software to evade detection.

Browsers provide several advantages for malicious operations. They are widely used and typically considered benign processes, reducing the likelihood of immediate suspicion. Additionally, browser debugging parameters can unlock powerful capabilities that enable otherwise restricted actions, such as remote file downloads and extensive system access.

Furthermore, browsers maintain legitimate permissions to interact with sensitive hardware resources, including microphones, cameras, and screen-capture mechanisms, which allows attackers to perform surveillance activities while blending into normal system behavior.