Ukrainian institutions have been targeted by a new cyber campaign. According to experts from the Spanish security company S2 Grupo LAB52, Russian hackers are likely behind the attacks.
Ukrainian institutions have been targeted by a new cyber campaign. According to experts from the Spanish security company S2 Grupo LAB52, Russian hackers are likely behind the attacks.
The campaign, recorded in February 2026, has common features with a previous operation by the Laundry Bear group (also known as UAC-0190 or Void Blizzard), directed against the Ukrainian Defense Forces using a malware family called PLUGGYAPE, The Hacker News writes .
This attack “uses a variety of legal and charity-themed lures to deploy a JavaScript-based backdoor that runs through the Edge browser.” The malware, dubbed DRILLAPP, is capable of uploading and downloading files, as well as using the microphone and taking pictures via the webcam, by exploiting the web browser’s features.
Two different versions of this campaign have been identified. The first iteration, discovered in early February, was implemented using a Windows shortcut (LNK file) that creates an HTML application (HTA) in a temporary folder. This application, in turn, downloads a remote script hosted on Pastefy, a legitimate text-sharing service.
To ensure persistence, LNK files are copied to the Windows startup folder so that they automatically launch upon system reboot. The attack chain then displays a URL containing baits related to the installation of Starlink or the "Return Alive" charity.
The HTML file is eventually executed through the Microsoft Edge browser in headless mode, which then downloads a remote obfuscated script hosted on Pastefy.
The browser is run with additional options such as –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security, which gives it access to the local file system, as well as the camera, microphone, and screenshots without requiring any user interaction.
This malicious file actually acts as a lightweight backdoor, providing access to the file system, as well as allowing recording of audio from the microphone, video from the camera, and taking screenshots of the device — all through the browser. When first launched, it also creates a “digital fingerprint” of the device using a technique called canvas fingerprinting, and uses Pastefy as an address retrieval system to download a WebSocket-URL to communicate with the control server.
The malware transmits the device fingerprint along with the victim’s country, which is determined by the machine’s time zone. It specifically checks whether the time zones match the UK, Russia, Germany, France, China, Japan, USA, Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If they don’t, the default is US time.
The second version of the campaign, spotted in late February 2026, was implemented without the use of LNK files — instead, the attackers used Windows Control Panel modules, but the overall infection sequence remained almost the same. Another notable change was the update of the backdoor itself: it now allows for recursive file enumeration, batch file uploads to the server, and arbitrary file uploads to the device.
“For security reasons, JavaScript does not allow remote file uploads,” LAB52 noted. “That’s why attackers are using the Chrome DevTools Protocol (CDP), an internal protocol in Chromium-based browsers that can only be used when the –remote-debugging-port option is enabled.”
This backdoor is believed to be still in its early stages of development. An early version of the malware, discovered in the public domain on January 28, 2026, only communicated with the domain "gnome[.]com" instead of downloading the main payload from Pastefy.
"One of the most notable aspects is the use of a browser to deploy a backdoor, which suggests that attackers are exploring new ways to evade detection," the Spanish cyber experts added.
"The browser is a beneficial tool for this type of activity because it is a common and usually unsuspecting process. It offers advanced capabilities, accessible through debugging options, that allow dangerous actions such as downloading remote files. In addition, it provides legitimate access to sensitive resources such as the microphone, camera, or screen recording without triggering immediate system alerts."
