Threat Intel - DRILLAPP Backdoor Targets Ukraine for Espionage
Basically, a new malware is spying on Ukraine using a web browser.
A new malware named DRILLAPP is targeting Ukrainian entities for espionage. Linked to Russian threat actors, it exploits Microsoft Edge for stealthy operations. This poses significant risks to national security.
The Threat
In February 2026, Ukrainian entities became the focus of a new cyber espionage campaign. This attack is believed to be orchestrated by threat actors connected to Russia, specifically the group known as Laundry Bear (also referred to as UAC-0190 or Void Blizzard). The malware, codenamed DRILLAPP, uses a unique method by leveraging the Microsoft Edge browser for its operations, making it a stealthy threat.
DRILLAPP is designed to function as a backdoor, allowing attackers to upload and download files, access the microphone, and capture images through the webcam. This capability is particularly alarming as it can operate without raising immediate suspicion, thanks to the browser's inherent legitimacy.
Who's Behind It
The campaign is linked to Laundry Bear, a group known for targeting Ukrainian defense forces in previous attacks. The malware was first detected in early February 2026, utilizing a Windows shortcut (LNK) file to execute an HTML Application (HTA) that loads a remote script from a legitimate service called Pastefy. This method of delivery is a hallmark of the group's tactics, showcasing their adaptability and technical prowess.
The attackers employ various lures, including themes related to judicial and charitable organizations, to entice users into executing the malware. This psychological manipulation is a common tactic in cyber espionage, aiming to lower defenses and facilitate the attack.
Tactics & Techniques
The DRILLAPP malware operates by executing a series of commands that allow it to run in headless mode through Microsoft Edge. This means it can perform its malicious activities without a visible user interface, further obscuring its presence. The malware utilizes several parameters to gain extensive access to the system, including the ability to bypass security protocols that would typically prevent unauthorized access to sensitive resources.
One of the most notable techniques is canvas fingerprinting, which generates a unique identifier for the device, helping the attackers track their targets. The malware checks the time zone of the infected machine to determine the victim's location, focusing on countries such as Ukraine, the U.S., and several European nations. This targeting indicates a strategic approach to espionage, allowing attackers to tailor their efforts based on geographic relevance.
Defensive Measures
To protect against threats like DRILLAPP, users and organizations should prioritize robust cybersecurity practices. This includes regularly updating software to patch vulnerabilities, employing advanced threat detection systems, and training staff to recognize phishing attempts and suspicious activity.
Additionally, utilizing endpoint protection solutions that can detect unusual behaviors—such as unauthorized access to the microphone or camera—can help mitigate risks. As cyber threats evolve, staying informed about the latest tactics and maintaining a proactive security posture is essential for safeguarding sensitive information.