{"id":278,"date":"2026-03-16T10:38:35","date_gmt":"2026-03-16T10:38:35","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=278"},"modified":"2026-03-16T10:38:35","modified_gmt":"2026-03-16T10:38:35","slug":"drillapp-backdoor-targets-ukraine-abuses-microsoft-edge-debugging-for-stealth-espionage","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=278","title":{"rendered":"DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage"},"content":{"rendered":"
\n
<\/a><\/div>\n

Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo’s LAB52 threat intelligence team.<\/p>\n

The campaign, observed<\/a> in February 2026, has been assessed to share overlaps with a prior campaign mounted by Laundry Bear (aka UAC-0190 or Void Blizzard) aimed at Ukrainian defense forces with a malware family known as PLUGGYAPE.<\/p>\n

The attack activity \u00abemploys various judicial and charity themed lures to deploy a JavaScript\u2011based backdoor that runs through the Edge browser,\u00bb the cybersecurity company said. Codenamed DRILLAPP<\/strong>, the malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam by taking advantage of the web browser’s features.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Two different versions of the campaign have been identified, with the first iteration detected in early February by making use of a Windows shortcut (LNK) file to create an HTML Application (HTA) in the temporary folder, which then loads a remote remote script hosted on Pastefy, a legitimate paste service.<\/p>\n

<\/p>\n

To establish persistence, the LNK files are copied to the Windows Startup folder so that they are automatically launched following a system reboot. The attack chain then displays a URL containing lures related to installing Starlink or a Ukrainian charity named Come Back Alive Foundation.<\/p>\n

The HTML file is eventually executed via the Microsoft Edge browser in headless mode<\/a>, which then loads the remote obfuscated script hosted on Pastefy.<\/p>\n

The browser is executed with additional parameters like \u2013no-sandbox, \u2013disable-web-security, \u2013allow-file-access-from-files, \u2013use-fake-ui-for-media-stream, \u2013auto-select-screen-capture-source=true, and \u2013disable-user-media-security, granting it access to the local file system, as well as camera, microphone, and screen capture without requiring any user interaction.<\/p>\n

\"\"<\/a><\/div>\n

The artifact essentially functions as a lightweight backdoor to facilitate file system access and capture audio from the microphone, video from the camera, and images of the device’s screen all through the browser. It also generates a device fingerprint using a technique called canvas fingerprinting<\/a> when run for the first time and uses Pastefy as a dead drop resolver to fetch a WebSocket URL used for command\u2011and\u2011control (C2) communications.<\/p>\n

The malware transmits the device fingerprint data along with the victim’s country, which is determined from the machine’s time zone. It specifically checks if the time zones correspond to the U.K., Russia, Germany, France, China, Japan, the U.S., Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If that’s not the case, it defaults to the U.S.<\/p>\n

The second version of the campaign, spotted in late February 2026, eschews LNK files for Windows Control Panel modules, while keeping the infection sequence largely intact. Another notable change involves the backdoor itself, which has now been upgraded to allow recursive file enumeration, batch file uploads, and arbitrary file download.<\/p>\n

\u00abFor security reasons, JavaScript does not allow the remote downloading of files,\u00bb LAB52 said. \u00abThis is why the attackers use the Chrome DevTools Protocol (CDP), an internal protocol of Chromium\u2011based browsers that can only be used when the \u2013remote-debugging-port parameter is enabled.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

It’s believed that the backdoor is still in the initial stages of development. An early variant of the malware detected in the wild on January 28, 2026, has been observed just communicating with the domain \u00abgnome[.]com\u00bb instead of downloading the primary payload from Pastefy.<\/p>\n

\u00abOne of the most notable aspects is the use of the browser to deploy a backdoor, which suggests that the attackers are exploring new ways to evade detection,\u00bb the Spanish security vendor said.<\/p>\n

\u00abThe browser is advantageous for this type of activity because it is a common and generally non\u2011suspicious process, it offers extended capabilities accessible through debugging parameters that enable unsafe actions such as downloading remote files, and it provides legitimate access to sensitive resources such as the microphone, camera, or screen recording without triggering immediate alerts.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo’s LAB52 threat intelligence team.…<\/p>\n","protected":false},"author":1,"featured_media":279,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[226,179,690,689,568,691,147,570,78,451],"class_list":["post-278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-abuses","tag-backdoor","tag-debugging","tag-drillapp","tag-edge","tag-espionage","tag-microsoft","tag-stealth","tag-targets","tag-ukraine"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=278"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/278\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/279"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}