Russia-Linked DRILLAPP Backdoor Targets Ukrainian Entities via Microsoft Edge

Russia-Linked DRILLAPP Backdoor Targets Ukrainian Entities via Microsoft Edge

First seen 18 Mar 2026, 18:13 UTC CybernewsSecurityaffairs.CoScworld 76% similarity 75.5

Article Content

Browse articles
ThreatCluster

A new cyberespionage campaign has been identified, targeting Ukrainian organizations with a backdoor named DRILLAPP, attributed to Russian threat actors, specifically the Laundry Bear group. The campaign employs judicial- and charity-themed lures to deliver the malware, which operates through the Microsoft Edge browser. The initial variant, detected in early February 2026, utilized LNK files to execute an HTML Application that loaded a remote script. A second variant, observed later in February, switched to using CPL files, enhancing its capabilities to include batch file uploading and recursive file listing. The backdoor can access local files, the microphone, and the webcam, indicating a significant threat to privacy and data security. The campaign is ongoing, with researchers noting its early development stage and potential for further evolution. The attacks are part of a broader pattern of cyber operations targeting Ukrainian entities since 2024.

Key Points: • DRILLAPP backdoor targets Ukrainian entities using Microsoft Edge for stealth. • Two variants of the malware have been identified, with increasing capabilities. • The campaign is linked to the Russian Laundry Bear APT group, indicating state-sponsored activity.

ThreatCluster AI

Timeline

2026-02-01
Initial variant of DRILLAPP detected using LNK files.
2026-02-20
Second variant of DRILLAPP identified using CPL files.
2026-03-16
Cybernews article published detailing the DRILLAPP campaign.
2026-03-18
Scworld article published with updated analysis of DRILLAPP.

Community

Browse all →