DRILLAPP Backdoor Exploits Microsoft Edge Debugging to Spy on Ukrainian Targets

A stealth espionage campaign uses a JavaScript-based backdoor running through Microsoft Edge to access microphones, webcams, and sensitive files.

A newly discovered cyber espionage campaign targeting Ukrainian entities has introduced a stealthy backdoor known as DRILLAPP, demonstrating how attackers continue to abuse legitimate software to evade detection. The operation, identified by threat intelligence researchers, appears to overlap with earlier activity linked to the Russia-aligned threat cluster Laundry Bear (UAC-0190 / Void Blizzard), which previously targeted Ukrainian defense organizations.

The campaign emerged in February 2026 and relies on social engineering techniques combined with browser abuse to infiltrate systems. Attackers distribute judicial-themed or charity-related lures designed to convince victims to open malicious files. These files ultimately deploy a JavaScript-based backdoor that runs through the Microsoft Edge browser, allowing attackers to hide malicious activity inside a trusted and commonly used application.

Attack Chain Begins with Malicious LNK Files

In the first observed variant of the campaign, attackers used Windows shortcut (LNK) files to initiate the infection process. Once executed, the shortcut creates a malicious HTML Application (HTA) inside the temporary directory of the victim’s system.

This HTA file then loads a remote script hosted on Pastefy, a legitimate paste service often abused for command distribution. Meanwhile, the attackers establish persistence by copying the malicious shortcut into the Windows Startup folder, ensuring the malware automatically runs whenever the system restarts.

The attack also displays URLs referencing popular Ukrainian topics such as Starlink installations or charitable organizations, increasing the likelihood that victims trust the content and proceed with execution.

Microsoft Edge Headless Mode Enables Stealth Access

After the malicious script loads, the attackers launch Microsoft Edge in headless mode, meaning the browser runs silently in the background without displaying a visible window.

The browser is executed with several debugging parameters that weaken security protections. These parameters allow the attackers to bypass normal browser restrictions and access system resources without user approval.

Through this technique, the DRILLAPP backdoor gains the ability to:

• Upload and download files from the infected system
• Capture screenshots of the device
• Record audio from the microphone
• Activate the webcam to capture images
• Access files stored on the local system

Because these actions occur within a legitimate browser process, traditional security tools may struggle to identify the behavior as malicious.

Device Fingerprinting and Command-and-Control Communication

Once deployed, DRILLAPP generates a unique fingerprint of the infected device using canvas fingerprinting techniques. The malware also collects geographic indicators by analyzing the system’s time zone.

The collected data is then transmitted to attacker-controlled infrastructure. Instead of directly connecting to a fixed command server, the malware retrieves a WebSocket command-and-control (C2) address from Pastefy, which acts as a dead-drop resolver. This approach makes the infrastructure more difficult to track and disrupt.

Second Variant Introduces Advanced Capabilities

A second version of the campaign, discovered later in February 2026, replaced the LNK delivery method with Windows Control Panel modules, while maintaining a similar infection flow.

However, the updated backdoor introduces more advanced capabilities, including:

• Recursive enumeration of files across directories
• Batch file uploads to attacker servers
• Arbitrary file downloads onto compromised machines

To enable file downloads through JavaScript, attackers leverage the Chrome DevTools Protocol (CDP) — an internal debugging interface used by Chromium-based browsers. By activating the remote debugging port, the malware bypasses browser restrictions and gains extended control over system operations.

Why Browser-Based Malware Is Dangerous

One of the most notable aspects of this campaign is the deliberate use of a web browser as the execution environment for a backdoor. Browsers are trusted applications that regularly access system resources such as cameras, microphones, and storage.

By abusing debugging features within a legitimate browser, attackers can perform intrusive surveillance activities while blending into normal system behavior. As a result, this technique highlights a growing trend where threat actors weaponize legitimate tools and applications to avoid detection.

For organizations, especially those operating in geopolitically sensitive environments, the campaign underscores the importance of monitoring unusual browser execution parameters, restricting debugging features, and detecting suspicious use of system startup mechanisms.