top of page
Search

APT Linked to Russia Uses DRILLAPP Backdoor to Spy on Ukrainian Targets

  • Mar 16
  • 2 min read

Key Findings


* Russia-linked APT group targets Ukrainian organizations using DRILLAPP backdoor


* Utilizes Microsoft Edge debugging to evade detection


* Two campaign variants observed in February 2026


* Capability to access file systems, microphone, camera, and screen recordings


* Linked to Laundry Bear (UAC-0190/Void Blizzard) APT group


Background


The DRILLAPP backdoor campaign represents a sophisticated cyber espionage effort targeting Ukrainian entities. Attributed to a Russian-aligned threat actor group, the operation demonstrates advanced evasion techniques by leveraging Microsoft Edge's debugging capabilities to maintain stealth.


Technical Infection Methodology


The first campaign variant spreads through malicious LNK files creating HTML files in temporary folders. Lures include charity-themed documents and Starlink installation images. The backdoor executes Microsoft Edge in headless mode with relaxed security parameters, allowing unauthorized access to system resources.


Campaign Variants


Two distinct versions were observed in February 2026:


* First variant: Uses LNK files and Pastefy for script hosting


* Second variant: Transitions to CPL (Control Panel) files


* Both versions maintain similar core functionality with incremental feature improvements


Technical Capabilities


The DRILLAPP backdoor provides extensive surveillance capabilities:


* File system access


* Microphone recording


* Camera activation


* Screen capture


* Device fingerprinting


* WebSocket-based command and control communication


Evasion Techniques


Attackers leverage browser debugging features to circumvent security restrictions:


* Executing Edge in headless mode


* Disabling web security controls


* Bypassing JavaScript download limitations via Chrome DevTools Protocol


Attribution and Context


Researchers assess the campaign as likely connected to the Laundry Bear APT group, with low to moderate confidence. The toolset shows signs of being in early development, suggesting potential future iterations and refinement.


Conclusion


The DRILLAPP campaign represents an evolving threat targeting Ukrainian organizations, utilizing innovative browser-based backdoor techniques to conduct espionage operations with minimal detection risk.


Sources


  • https://securityaffairs.com/189519/malware/russia-linked-apt-uses-drillapp-backdoor-to-spy-on-ukrainian-targets.html

  • https://thehackernews.com/2026/03/drillapp-backdoor-targets-ukraine.html

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page