DRILLAPP Backdoor Exploits Microsoft Edge to Target Ukrainian Entities
In February 2026, cybersecurity researchers from S2 Grupo’s LAB52 identified a sophisticated cyber espionage campaign targeting Ukrainian organizations. This operation, attributed to threat actors with potential Russian affiliations, employs a novel JavaScript-based backdoor named DRILLAPP. This malware leverages Microsoft Edge’s debugging features to clandestinely infiltrate systems, enabling unauthorized access to sensitive data.
Campaign Overview
The DRILLAPP campaign exhibits similarities to previous attacks by the group known as Laundry Bear (also referred to as UAC-0190 or Void Blizzard), which had previously targeted Ukrainian defense forces using the PLUGGYAPE malware. In this latest campaign, attackers utilize deceptive themes related to legal and charitable organizations to entice victims into executing malicious code.
Infection Mechanism
The attack unfolds in two distinct phases:
1. Initial Phase (Early February 2026): Victims receive a Windows shortcut (LNK) file that, when executed, creates an HTML Application (HTA) in the system’s temporary folder. This HTA file then loads a remote script hosted on Pastefy, a legitimate paste service. To ensure persistence, the LNK file is copied to the Windows Startup folder, causing it to execute automatically upon system reboot. The attack chain culminates in displaying a URL with lures related to installing Starlink services or supporting the Ukrainian charity Come Back Alive Foundation.
2. Advanced Phase (Late February 2026): The attackers shift from using LNK files to Windows Control Panel modules, maintaining a similar infection sequence. Notably, the DRILLAPP backdoor is enhanced to support recursive file enumeration, batch file uploads, and arbitrary file downloads.
Technical Exploitation
A critical aspect of DRILLAPP’s operation is its exploitation of Microsoft Edge’s headless mode. By executing the browser with specific parameters—such as `–no-sandbox`, `–disable-web-security`, and `–allow-file-access-from-files`—the malware gains extensive access to the local file system, camera, microphone, and screen capture functionalities without user consent. This method allows the backdoor to perform the following actions:
– File Operations: Access and manipulate files on the infected system.
– Audio and Video Capture: Record audio through the microphone and video via the webcam.
– Screen Capture: Take screenshots of the device’s display.
Additionally, DRILLAPP employs canvas fingerprinting to generate a unique identifier for each infected device. It uses Pastefy as a dead drop resolver to retrieve a WebSocket URL for command-and-control (C2) communications. The malware also determines the victim’s country based on the system’s time zone, specifically checking for time zones corresponding to the U.K., Russia, Germany, France, China, Japan, the U.S., Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If the time zone does not match any of these countries, it defaults to the U.S.
Advanced Capabilities
In its more recent iteration, DRILLAPP utilizes the Chrome DevTools Protocol (CDP) to bypass JavaScript’s restrictions on remote file downloads. By enabling the `–remote-debugging-port` parameter, the malware can execute commands that facilitate unauthorized file transfers, further enhancing its espionage capabilities.
Implications and Recommendations
The DRILLAPP campaign underscores the evolving tactics of cyber adversaries targeting Ukrainian entities. By exploiting legitimate browser features, attackers can achieve deep system penetration while evading traditional security measures.
To mitigate such threats, organizations are advised to:
– Exercise Caution with Email Attachments: Avoid opening unsolicited attachments, especially those with LNK or HTA extensions.
– Implement Robust Security Protocols: Regularly update and patch software to close vulnerabilities that could be exploited by malware.
– Monitor System Behavior: Utilize endpoint detection and response (EDR) solutions to identify and respond to unusual activities indicative of malware infection.
– Educate Personnel: Conduct regular training sessions to raise awareness about phishing tactics and the importance of cybersecurity hygiene.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats like DRILLAPP.
