A sophisticated cyber-espionage campaign targeting Ukrainian entities has been uncovered, with threat intelligence analysts attributing the activity to actors likely linked to Russia. According to a detailed report from the LAB52 threat intelligence team at Spanish cybersecurity firm S2 Grupo, the campaign, observed in February 2026, deploys a novel JavaScript-based backdoor codenamed DRILLAPP. This malware uniquely abuses the debugging and command-line features of the Microsoft Edge web browser to operate stealthily, enabling a wide range of espionage capabilities including file exfiltration, audio recording via microphone, and image capture through the webcam.
The attack methodology employs socially engineered lures themed around judicial matters and charitable causes, specifically referencing the installation of Starlink services or donations to the Ukrainian "Come Back Alive Foundation." The initial infection vector involves a Windows shortcut (LNK) file, which, when executed, creates an HTML Application (HTA) in the system's temporary folder. This HTA subsequently loads a remote, obfuscated JavaScript payload hosted on the legitimate Pastefy paste service. For persistence, the malicious LNK files are copied to the Windows Startup folder, ensuring the backdoor is re-activated after every system reboot.
A critical technical aspect of this campaign is the abuse of Microsoft Edge's command-line switches. The browser is executed in headless mode with parameters such as `--no-sandbox`, `--disable-web-security`, and `--allow-file-access-from-files`. More invasively, switches like `--use-fake-ui-for-media-stream` and `--disable-user-media-security` are used to silently grant the malicious script access to the system's microphone, camera, and screen-capture functionality without triggering any user consent prompts. This technique effectively turns the Edge browser into a powerful, stealthy surveillance tool.
The campaign has been assessed to share significant overlaps with previous activities attributed to the threat group known as Laundry Bear (also tracked as UAC-0190 or Void Blizzard), which previously targeted Ukrainian defense forces with the PLUGGYAPE malware. The reuse of thematic lures and similar attack chains suggests a continuous evolution of tactics by a persistent adversary focused on intelligence gathering within Ukraine. The use of a legitimate service like Pastefy for hosting command-and-control scripts highlights a trend towards "living-off-the-land" techniques that blend malicious activity with normal network traffic to evade detection.
This incident underscores a growing sophistication in browser-based attacks, where trusted applications are weaponized through their own features. It serves as a critical reminder for organizations, especially in high-risk sectors and regions, to implement robust application control policies, monitor for unusual command-line arguments in browser executions, and maintain heightened awareness of phishing campaigns that exploit current events and humanitarian themes. Defense-in-depth strategies must evolve to counter these living-off-the-land binaries (LOLBins) and software abuses.
