DRILLAPP Espionage Campaign Targeting Ukrainian Organizations
A Russia-linked cyber-espionage campaign targeted Ukrainian entities with a JavaScript-based backdoor called DRILLAPP, using lures themed around Starlink terminal verification and the Come Back Alive Foundation charity. Researchers linked the activity to Laundry Bear—also tracked as Void Blizzard and UAC-0190—and said the operation shared tradecraft with earlier campaigns against Ukrainian defense-related targets. The malware was observed in February 2026 and was designed for surveillance and remote access, including file upload and download, microphone recording, and webcam image capture.
The intrusion chain used malicious LNK files to create an HTA file in a temporary directory, fetch obfuscated scripts from Pastefy, and establish persistence by copying shortcuts into the Windows Startup folder. The payload then executed through Microsoft Edge in headless mode with permissive flags such as --no-sandbox, --disable-web-security, --allow-file-access-from-files, --use-fake-ui-for-media-stream, and --disable-user-media-security, enabling access to the local file system, camera, microphone, and potentially screen capture without normal user prompts. Researchers said the browser-based approach likely helps the attackers blend malicious activity with legitimate browser access to sensitive device features.
Timeline
Mar 16, 2026
LAB52 discloses DRILLAPP campaign targeting Ukraine
On March 16, 2026, LAB52 publicly reported the February campaign, describing DRILLAPP as a JavaScript backdoor that abuses Microsoft Edge headless mode, browser debugging, and media-access features to capture files, audio, webcam images, and screen content.
Feb 15, 2026
Later February variant switches to CPL files and expands capabilities
A later February 2026 DRILLAPP variant changed delivery to Windows Control Panel module files while retaining the Edge-based execution chain. It also added recursive file enumeration, batch uploads, arbitrary downloads, and broader file-management functions.
Feb 1, 2026
Initial DRILLAPP variant uses LNK and HTA delivery via Pastefy
The first observed campaign variant used LNK files to drop HTML or HTA content and retrieve obfuscated remote scripts hosted on Pastefy, establishing the browser-based backdoor on victim systems.
Feb 1, 2026
DRILLAPP campaign targets Ukrainian entities with lure documents
In February 2026, a cyber-espionage campaign targeted Ukrainian organizations using judicial, charity, and Starlink-themed lures to deliver the DRILLAPP backdoor. Researchers linked the activity with low confidence to the Russian-aligned Laundry Bear group based on overlaps with prior tradecraft used against Ukraine.
Jan 28, 2026
Early DRILLAPP sample communicates with gnome.com
Researchers identified an earlier DRILLAPP sample dated January 28, 2026 that only communicated with gnome[.]com, indicating the malware was still in an early development stage before the broader campaign.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
Related Stories
AI-Assisted Phishing Campaign Abusing Browser Permissions for Data Theft
A **large-scale phishing campaign** is using fake service and verification pages such as “ID Scanner,” “Telegram ID Freezing,” and “Health Fund AI” to trick victims into granting browser access to sensitive device capabilities. Once permissions are approved, malicious JavaScript captures **images, video, microphone audio, device details, contact information, and approximate geolocation**, then exfiltrates the data to attacker-controlled **Telegram bots** and related infrastructure. Researchers said the operation is hosted primarily on **`edgeone.app`** infrastructure and goes beyond traditional credential theft by collecting rich multimedia and contextual data that could support identity theft, follow-on social engineering, account compromise, or extortion. Analysis of the phishing framework found signs of **AI-assisted code generation**, including structured annotations and emoji-style formatting embedded in the code, indicating generative AI may have been used to speed development of the campaign. A separate report on the **DRILLAPP** malware targeting Ukrainian entities describes a different espionage operation involving Microsoft Edge headless mode, LNK and HTA execution, and Russia-linked targeting; despite some overlap in browser permission abuse and media capture, it is **not the same incident** and should be excluded from this story.
1 months ago
Void Blizzard (Laundry Bear) Charity-Themed Lures Deliver PluggyApe Backdoor to Ukraine’s Defense Forces
Ukraine’s CERT (CERT-UA) reported a cyber-espionage campaign targeting representatives of **Ukraine’s Defense Forces** between October and December 2025, using social-engineering lures themed around charitable foundations. Victims were contacted via **Signal** and **WhatsApp** and directed to charity-impersonation websites or sent password-protected archives that purported to contain documents but instead delivered executable payloads (including `*.docx.pif`), sometimes sent directly through the messaging apps. The activity was attributed with **medium confidence** to the Russia-aligned threat actor **Void Blizzard** (also tracked as **Laundry Bear** and **UAC-0190**). The campaign deployed a previously undocumented backdoor dubbed **PluggyApe**, built as a Python executable packaged with **PyInstaller**, which profiles infected hosts, establishes persistence via **Windows Registry** modification, and enables remote command execution. CERT-UA noted an evolution in late 2025 from earlier loader naming patterns (e.g., `*.pdf.exe`) to **PIF-based delivery** and an updated **PluggyApe v2** featuring stronger obfuscation, **MQTT-based** command-and-control, and additional anti-analysis checks.
1 months ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 months ago