Russian‑Linked APT Deploys DRILLAPP Backdoor via Edge Debugging to Spy on Ukrainian Government Entities
What Happened — In February 2026 a Russia‑aligned advanced‑persistent‑threat (APT) group, attributed with low confidence to the Laundry Bear (UAC‑0190) team, began delivering a custom backdoor named DRILLAPP to Ukrainian organizations. The malware is dropped through malicious LNK or CPL files that launch Microsoft Edge in headless mode with insecure flags, granting the attacker file‑system access, microphone, camera and screen capture.
Why It Matters for TPRM —
- Espionage tools that abuse legitimate browsers can bypass many endpoint controls, raising the bar for detection.
- Supply‑chain partners that host Ukrainian subsidiaries or provide services to the region may inherit this risk.
- The technique demonstrates a novel “browser‑as‑backdoor” approach that could be repurposed against other geopolitical targets.
Who Is Affected — Government & public‑sector agencies (defense, audit, emergency services) in Ukraine; any third‑party vendors that process data for these entities.
Recommended Actions
- Review contracts with Ukrainian‑focused partners for exposure to state‑sponsored espionage.
- Verify that endpoint detection platforms can monitor abnormal Edge launch parameters and LNK/CPL file execution.
- Enforce strict email/drive scanning for malicious shortcuts and enforce least‑privilege browser policies.
Technical Notes — The first DRILLAPP variant uses LNK files that write HTML to the temp folder and load obfuscated scripts from pastefy.app; the second switches to CPL (Control Panel) modules. Both invoke Edge with flags such as --no-sandbox, --disable-web-security, --use-fake-ui-for-media-stream, and --auto-select-screen-capture-source=true. The backdoor communicates via a WebSocket C2, can recursively list files, batch‑upload data, and leverages the Chrome DevTools Protocol to bypass JavaScript download restrictions. Source: SecurityAffairs