DRILLAPP Backdoor Uses Edge Debugging to Target Ukraine

S2 Grupo’s LAB52 said a new JavaScript backdoor called DRILLAPP has been used in a campaign that targeted Ukrainian organizations in February 2026. LAB52 assessed the activity shares overlaps with earlier operations by a group known as Laundry Bear, also tracked as UAC-0190 or Void Blizzard, which previously used a malware family called PLUGGYAPE.

According to LAB52, DRILLAPP abuses Microsoft Edge by launching the browser in headless mode with remote debugging enabled to bypass normal security controls. “For security reasons, JavaScript does not allow the remote downloading of files,” LAB52 said. “This is why the attackers use the Chrome DevTools Protocol (CDP), an internal protocol of Chromium based browsers that can only be used when the –remote-debugging-port parameter is enabled.”

LAB52 described how the first observed variant used a Windows shortcut (LNK) to drop an HTML Application (HTA) in the temporary folder and then load an obfuscated remote script hosted on the paste service Pastefy. The shortcut is copied to the Windows Startup folder to run after reboot, LAB52 said, with lure pages themed around Starlink installation or a Ukrainian charity called Come Back Alive Foundation.

When executed, the attack runs Edge with parameters such as –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security. LAB52 said these options grant the browser access to the local file system, camera, microphone, and screen capture without user interaction.

LAB52 noted that the browser-based backdoor can upload and download files, capture audio from the microphone, take pictures from the webcam, and record the screen. The malware also creates a device fingerprint using canvas fingerprinting and uses Pastefy as a dead drop resolver to fetch a WebSocket URL for command and control communications, LAB52 said.

In late February 2026 LAB52 observed a second variant that replaced the LNK stage with malicious Windows Control Panel modules while keeping the core browser-based execution. LAB52 added that the backdoor was upgraded to support recursive file enumeration, batch uploads, and arbitrary file downloads.

LAB52 described the tool as likely still under development and pointed to an early January 28, 2026 sample that only communicated with the domain gnome[.]com before the Pastefy-based distribution was seen.

“One of the most notable aspects is the use of the browser to deploy a backdoor, which suggests that the attackers are exploring new ways to evade detection,” LAB52 said. “The browser is advantageous for this type of activity because it is a common and generally non suspicious process, it offers extended capabilities accessible through debugging parameters that enable unsafe actions such as downloading remote files, and it provides legitimate access to sensitive resources such as the microphone, camera, or screen recording without triggering immediate alerts.”

#cybersecurity #malware #Ukraine #edgebrowser #threatintel