DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage

According to a report from S2 Grupo's LAB52 threat intelligence team, Ukrainian organizations are now the target of a new campaign that is probably being run by threat actors with ties to Russia This article explores malware goes drillapp. . The cybersecurity company said that the attack "uses different judicial and charity-themed lures to install a JavaScript-based backdoor that runs through the Edge browser."

The malware, which goes by the name DRILLAPP, can use the web browser's features to upload and download files, use the microphone, and take pictures with the webcam.

There are two different versions of the campaign. The first one was found in early February when a Windows shortcut (LNK) file was used to make an HTML Application (HTA) in the temporary folder. This HTA then loads a remote script from Pastefy, a legitimate paste service.

To make sure they stay on the system, the LNK files are copied to the Windows Startup folder, where they will start up automatically when the system is rebooted. Then, the attack chain shows a URL that has links to installing Starlink or a Ukrainian charity called Come Back Alive Foundation. The Microsoft Edge browser runs the HTML file in headless mode, which then loads the remote obfuscated script that is hosted on Pastefy.

The browser runs with extra options like –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security. This gives it access to the local file system, camera, microphone, and screen capture without the user having to do anything. The artifact is basically a lightweight backdoor that lets you access the file system and record audio from the microphone, video from the camera, and pictures of the device's screen all through the browser.

It also makes a device fingerprint using a method called canvas fingerprinting when it runs for the first time. It then uses Pastefy as a dead drop resolver to get a WebSocket URL that is used for command-and-control (C2) communications. The malware sends the device fingerprint data and the victim's country, which is figured out from the machine's time zone.

It checks to see if the time zones match those of the U.K., Russia, Germany, France, China, Japan, the U.S., Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If that's not the case, it goes to the U.S. by default. The second version of the campaign, which was seen in late February 2026, replaces LNK files with Windows Control Panel modules.

However, the infection sequence stays mostly the same. The backdoor itself has also changed a lot. It can now do recursive file enumeration, batch file uploads, and arbitrary file downloads. LAB52 said, "JavaScript does not allow files to be downloaded from a remote location for security reasons."

"This is why the attackers use the Chrome DevTools Protocol (CDP), which is an internal protocol for Chromium-based browsers that can only be used when the –remote-debugging-port parameter is turned on." People think that the backdoor is still being worked on. On January 28, 2026, an early version of the malware was found in the wild.

It only talked to the domain "gnome[. ]com" instead of downloading the main payload from Pastefy. "The Spanish security company said, "One of the most interesting things is that the attackers used the browser to install a backdoor, which suggests that they are looking for new ways to avoid detection."

"The browser is good for this kind of activity because it is a common and not very suspicious process. It also has more features that can be accessed through debugging parameters that allow unsafe actions like downloading files from other computers. It also gives legitimate access to sensitive resources like the microphone, camera, or screen recording without sending alerts right away."