HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Russian‑Linked Espionage Group Deploys DrillApp Spyware via Starlink & Charity Lures Against Ukrainian Entities

A Russia‑affiliated hacker group, Laundry Bear, used documents masquerading as Starlink verification requests and charity appeals to install the DrillApp backdoor on Ukrainian organizations. The malware can exfiltrate files, record audio/video, and capture screens, posing a significant espionage risk for government and critical‑infrastructure partners.

🛡️ LiveThreat™ Intelligence · 📅 March 17, 2026· 📰 therecord.media
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
therecord.media

Russian‑Linked Espionage Group Uses Starlink & Charity Lures to Deploy DrillApp Spyware Against Ukrainian Entities

What Happened – A Russia‑affiliated hacker group identified as Laundry Bear (aka Void Blizzard) launched a cyber‑espionage campaign in February 2024. The actors distributed malicious documents masquerading as Starlink verification requests and as appeals from the Ukrainian charity “Come Back Alive,” installing a backdoor called DrillApp that can exfiltrate files, record audio, capture webcam images, and record the screen.

Why It Matters for TPRM

  • The campaign targets critical Ukrainian infrastructure (defense, transportation, education) and demonstrates how state‑aligned actors exploit legitimate services (Microsoft Edge, public text‑sharing sites) to bypass defenses.
  • Social‑engineering lures tied to humanitarian aid and emerging satellite‑internet technology increase the likelihood of successful compromise in supply‑chain and partner environments.
  • Early‑stage malware suggests rapid evolution of tactics that could be repurposed against allied organizations or third‑party vendors supporting Ukrainian operations.

Who Is Affected – Government and public‑sector entities in Ukraine (defense, education, transportation), as well as any third‑party vendors handling data or communications for these sectors.

Recommended Actions

  • Review any contracts or data flows with Ukrainian partners for exposure to this threat.
  • Harden email and document handling policies; block execution of untrusted Office files and enforce strict macro controls.
  • Deploy endpoint detection that monitors browser‑initiated access to microphones, cameras, and screen‑recording APIs.
  • Conduct threat‑intel briefings for incident‑response teams on the DrillApp payload and its delivery mechanisms.

Technical Notes – The malicious payload is delivered via a crafted document that executes in Microsoft Edge, leveraging the browser’s legitimate access to device peripherals. DrillApp provides file system access, audio/video capture, and screen recording. No public CVE is associated; the technique relies on browser‑level permissions rather than a software vulnerability. Source: The Record

📰 Original Source
https://therecord.media/russia-ukraine-cyber-espionage-group

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →