Back

Russia-Linked DRILLAPP Backdoor Targets Ukrainian Entities via Microsoft Edge

Severity: High (Score: 75.5)

Sources: Scworld, Securityaffairs.Co, Cybernews

Summary

A new cyberespionage campaign has been identified, targeting Ukrainian organizations with a backdoor named DRILLAPP, attributed to Russian threat actors, specifically the Laundry Bear group. The campaign employs judicial- and charity-themed lures to deliver the malware, which operates through the Microsoft Edge browser. The initial variant, detected in early February 2026, utilized LNK files to execute an HTML Application that loaded a remote script. A second variant, observed later in February, switched to using CPL files, enhancing its capabilities to include batch file uploading and recursive file listing. The backdoor can access local files, the microphone, and the webcam, indicating a significant threat to privacy and data security. The campaign is ongoing, with researchers noting its early development stage and potential for further evolution. The attacks are part of a broader pattern of cyber operations targeting Ukrainian entities since 2024. Key Points: • DRILLAPP backdoor targets Ukrainian entities using Microsoft Edge for stealth. • Two variants of the malware have been identified, with increasing capabilities. • The campaign is linked to the Russian Laundry Bear APT group, indicating state-sponsored activity.

Key Entities

  • Laundry Bear (apt_group)
  • Laundry Bear APT Group (apt_group)
  • Uac-0190 (apt_group)
  • Void Blizzard (apt_group)
  • Malware (attack_type)
  • Drillapp (malware)
  • Pluggyape (malware)
  • Drillapp Backdoor Campaign (campaign)
  • Come Back Alive Foundation (company)
  • National Guard Of Ukraine (company)
  • Southern Office Of The State Audit Service Of Ukraine (company)
  • Ukrainian Armed Forces (company)
  • Russia (country)
  • Ukraine (country)
  • pastefy.app (domain)
  • Government (industry)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1547.001 - Registry Run Keys / Startup Folder (mitre_attack)
  • Microsoft Edge (platform)
  • Windows (platform)
  • Javascript-obfuscator (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed