Cybersecurity researchers have uncovered a new cyber espionage campaign targeting organizations in Ukraine. The activity is believed to be linked to threat actors associated with Russia, according to a report from the LAB52 threat intelligence team at the Spanish security firm S2 Grupo.
The operation was detected in February 2026 and appears to share similarities with an earlier campaign attributed to the group known as Laundry Bear, also tracked as UAC-0190 or Void Blizzard. That previous operation targeted Ukrainian defense forces and involved the malware family known as PLUGGYAPE.
Judicial and Charity Lures Used to Deliver Malware
Researchers discovered that the attackers used a range of social engineering lures related to judicial topics and charity initiatives to distribute a JavaScript based backdoor. The malware, named DRILLAPP, operates through the Microsoft Edge browser.
Once deployed, the backdoor can perform multiple espionage functions, including uploading and downloading files, accessing the system microphone, and capturing images through the victim’s webcam. These capabilities are achieved by exploiting built in browser features.
First Campaign Variant Uses Windows Shortcut Files
The initial variant of the campaign was detected in early February 2026. In this version, attackers used Windows shortcut files (LNK) to trigger the infection chain.
When the victim interacts with the shortcut, it generates an HTML Application (HTA) file within the system’s temporary directory. This HTA file then retrieves a remote script hosted on Pastefy, a legitimate paste sharing service.
To maintain persistence on the compromised system, the malicious LNK files are copied into the Windows Startup folder. This ensures that the malware automatically runs every time the system restarts.
The attack sequence also displays a deceptive URL related to installing Starlink or supporting the Ukrainian charity Come Back Alive Foundation, which is used as a lure to trick victims into executing the malicious file.
Edge Browser Executed in Headless Mode
The malware eventually launches Microsoft Edge in headless mode to execute the malicious script retrieved from Pastefy.
Attackers run the browser with several command line parameters that weaken security restrictions, including:
- no sandbox mode
- disabled web security protections
- file access from local directories
- automated screen capture selection
- fake user interface for media permissions
These parameters allow the malware to access sensitive resources such as the local file system, microphone, webcam, and screen capture tools without requiring user approval.
Browser Based Backdoor Enables Surveillance
Once active, DRILLAPP acts as a lightweight backdoor. It can collect data from the infected device including audio from the microphone, webcam video, screenshots, and files stored on the system.
During its first execution, the malware also creates a unique device identifier using a tracking method known as canvas fingerprinting. The fingerprint information is then sent to the attackers along with the victim’s country location, which is determined using the system’s time zone.
The malware checks for time zones associated with several countries including the United Kingdom, Russia, Germany, France, China, Japan, the United States, Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If the system does not match these regions, it defaults to the United States.
Second Campaign Variant Uses Control Panel Modules
A second version of the campaign appeared later in February 2026. In this variant, attackers replaced the LNK file delivery method with malicious Windows Control Panel modules.
Although the infection chain remains largely the same, the updated DRILLAPP backdoor includes expanded capabilities. These enhancements allow the malware to perform recursive file searches, upload multiple files simultaneously, and download files from remote systems.
Chrome DevTools Protocol Used for File Downloads
Because JavaScript normally restricts remote file downloads, attackers bypass this limitation using the Chrome DevTools Protocol (CDP). This internal protocol exists within Chromium based browsers and becomes accessible when the remote debugging port parameter is enabled.
Through CDP, the malware can execute commands that allow remote file downloads and additional system interaction.
Early Variant Indicates Ongoing Development
Researchers believe the malware is still under active development. An early sample identified on January 28, 2026 communicated only with the domain gnome[.]com instead of retrieving the primary payload from Pastefy.
According to LAB52, the campaign highlights an evolving tactic in cyber espionage operations.
Using web browsers as a malware execution platform provides attackers with several advantages. Browsers are widely trusted applications, making malicious activity harder to detect. In addition, debugging parameters allow attackers to bypass security controls while still accessing sensitive system resources such as cameras, microphones, and screen recording features.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
