A Russian-attributed threat actor, Laundry Bear (UAC-0190/Void Blizzard), is running an active espionage campaign against Ukrainian entities using DRILLAPP, a JavaScript backdoor that runs entirely inside Microsoft Edge in headless mode. The malware exploits Edge’s remote debugging port and Chrome DevTools Protocol to bypass JavaScript security restrictions, enabling covert file access, microphone capture, webcam recording, and screen capture without triggering standard AV alerts. Two distinct campaign iterations were observed in February 2026, with the malware still actively evolving — making this an emerging, not fully mature, threat requiring immediate detection coverage.
DRILLAPP’s core technique is a deliberate abuse of legitimacy: by running inside a common, trusted browser process, the malware sidesteps endpoint detection tools that would flag a standalone executable performing the same actions. Microsoft Edge is launched in headless mode with an explicit set of security-disabling flags — including –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security — effectively creating a browser instance that behaves like a remote access trojan. None of these capabilities require a kernel exploit or privilege escalation. The attacker weaponizes browser features that already exist. This is a process-abuse pattern, not a vulnerability exploitation, which makes signature-based detection significantly harder.
The Chrome DevTools Protocol (CDP) is the technical pivot that separates DRILLAPP from simpler browser-based threats. Standard JavaScript sandboxing prevents remote file downloads, a fundamental browser security boundary. By enabling the –remote-debugging-port parameter, the attacker activates CDP, an internal Chromium protocol designed for developer tooling. CDP allows the attacker to issue commands — file reads, batch uploads, arbitrary downloads — that normal JavaScript cannot execute. This is not a bug in Edge; it is a deliberate misuse of a debugging interface that most enterprise environments leave unrestricted. Organizations that do not audit browser launch parameters or monitor CDP port activity have no native alerting for this behavior. Security teams should treat any production instance of msedge.exe launched with –remote-debugging-port as an immediate triage priority.
The infection chain shows deliberate operational tradecraft. Version 1, observed in early February 2026, uses LNK files to drop an HTA into the Windows temp folder, establishes persistence via the Windows Startup folder, and loads an obfuscated remote script from Pastefy — a legitimate paste service used as a dead drop resolver. Pastefy returns a WebSocket URL for C2 communications, keeping the initial payload off the attacker’s own infrastructure and complicating network-based blocking. The malware generates a canvas fingerprint on first execution to uniquely identify the victim device and transmits timezone data to profile the target’s geography. Version 2, detected in late February 2026, replaces LNK files with Windows Control Panel modules (.cpl), adds recursive file enumeration, batch upload capability, and arbitrary file download — indicating rapid iteration between campaigns. An earlier artifact from January 28, 2026, communicating only with gnome[.]com, suggests the malware was in testing before the February campaigns began. The shift from LNK to CPL files in version 2 specifically suggests the actors are adapting to defenses or telemetry that flagged their initial delivery method.
The connection to Laundry Bear (also tracked as UAC-0190 and Void Blizzard) places DRILLAPP in a documented lineage targeting Ukrainian defense entities. The prior campaign from this actor used PLUGGYAPE malware, and the lure themes — Starlink installation and the Come Back Alive Foundation charity — are precisely calibrated to Ukrainian users in defense-adjacent roles. This is not opportunistic targeting. The timezone fingerprinting logic, which checks for Ukraine, Russia, UK, Germany, France, and ten other countries, suggests the actor is profiling victims by geography before committing further resources. Security teams monitoring Russian state-sponsored activity against Ukraine, NATO members, or defense supply chains should treat this campaign as high-priority attribution intelligence.
One significant analytical gap in the available source material is the absence of confirmed IOCs beyond the domain gnome[.]com and the Pastefy dead drop mechanism. No hash values, specific Pastefy URLs, WebSocket C2 endpoints, or CPL file indicators are published in the LAB52 report as summarized. This limits immediate IOC-based detection. Detection engineering efforts should therefore prioritize behavioral rules: Edge or Chrome processes launched with –remote-debugging-port combined with –disable-web-security; HTA or CPL file creation in temp directories followed by browser process spawning; outbound WebSocket connections initiated by browser processes; and LNK or CPL files placed in the Windows Startup folder by non-installer processes. These behavioral patterns are durable across DRILLAPP versions and would catch future iterations that change file hashes or C2 infrastructure.
- Hunt for browser debug flag abuse immediately: any Edge or Chrome process launched with –remote-debugging-port and –disable-web-security in your environment is a high-confidence triage signal, not a developer anomaly worth ignoring.
- Block or alert on Pastefy (pastefy.app) at the network perimeter — the campaign uses it as a dead drop resolver to retrieve WebSocket C2 URLs, making it a detectable infrastructure dependency that does not require knowing specific payload URLs.
- Version 2’s shift from LNK to CPL delivery confirms the actor monitors and adapts to detection; update detection rules to cover both Windows Startup folder persistence via LNK files and Control Panel module (.cpl) file creation in temp directories.
- Canvas fingerprinting on first execution followed by timezone exfiltration is a behavioral indicator of DRILLAPP’s reconnaissance phase — endpoint telemetry that captures browser-initiated canvas API calls combined with outbound WebSocket traffic deserves a correlation rule.
- Organizations supporting Ukrainian defense, defense industry supply chains, or operating in the lure-relevant verticals (humanitarian aid, satellite communications) should treat this campaign as actively targeting their user population and brief staff on themed social engineering lures.
