DRILLAPP
DRILLAPP is a newly reported backdoor malware family observed in February 2026 targeting Ukrainian organizations. Reporting attributes the activity with low confidence to the Russian-aligned threat actor Laundry Bear, also tracked as UAC-0190 and Void Blizzard, based on overlaps with earlier CERT-UA-reported tradecraft including charity-themed lures and use of public text-sharing services.
The malware was delivered in at least two observed variants. The first variant used LNK files that created HTML files in the temporary folder and loaded obfuscated scripts from pastefy.app. Lure themes included Starlink installation images and Come Back Alive charity requests. A later variant switched to CPL files while retaining similar behavior; its lure themes included a weapons seizure report and a document from the Southern Office of Ukraine’s State Audit Service displayed via the National Guard’s website.
DRILLAPP abuses Microsoft Edge headless mode and debugging features for stealth and capability expansion. It launches the browser with insecure parameters including --no-sandbox, --disable-web-security, --allow-file-access-from-files, --use-fake-ui-for-media-stream, --auto-select-screen-capture-source=true, and --disable-user-media-security. These settings enable local file access and automatically grant permissions for camera, microphone, and screen capture without user interaction. Reported capabilities include file system access, microphone audio capture, camera video capture, screen capture, generation of a hashed device fingerprint, time-zone checks, and WebSocket-based command-and-control.
The second variant added recursive file listing, batch uploads, and remote file download functionality. Operators also abused the Chrome DevTools Protocol via the browser remote-debugging port to bypass JavaScript restrictions on file downloads, modify the download path, and inject a script simulating user clicks to retrieve files from a remote server. Researchers assessed DRILLAPP as an early-stage malware family used in ongoing espionage against Ukrainian targets. Mentioned infrastructure and artifacts include pastefy.app for script retrieval and a related sample uploaded from Russia on 2026-01-28 that used a similar infection chain and connected to gnome.com instead of downloading the backdoor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Codenamed DRILLAPP, the malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam by taking advantage of the web browser's features.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe first DRILLAPP variant, seen in early February, spreads via LNK files that create HTML files in the temp folder, loading obfuscated scripts from pastefy.app. Lures range from Starlink installation images to Come Back Alive charity requests.
Execution
2 techniquesThe first DRILLAPP variant, seen in early February, spreads via LNK files that create HTML files in the temp folder, loading obfuscated scripts from pastefy.app.
The second variant, detected in late February 2026, replaces LNK files with CPL files, Control Panel modules that act as executable DLLs.
Stealth
2 techniquesThe browser is advantageous for this type of activity because it is a common and generally non‑suspicious process
Discovery
3 techniquesIt generates a hashed device fingerprint, detects select time zones, and connects to a WebSocket C2 for remote control.
The backdoor adds new capabilities such as recursive file listing, batch uploads, and remote file downloads.
Collection
4 techniquesUsing deobfuscation techniques, it has been possible to partially recover the code of the artifact, which functions as a lightweight backdoor allowing the attacker to access the file system
These settings allow local file access and automatically grant permissions for the camera, microphone, and screen capture without user interaction.
These settings allow local file access and automatically grant permissions for the camera, microphone, and screen capture without user interaction.
These settings allow local file access and automatically grant permissions for the camera, microphone, and screen capture without user interaction.
Command and Control
3 techniquesIt generates a hashed device fingerprint, detects select time zones, and connects to a WebSocket C2 for remote control.
These include the use of charity‑themed lures or the hosting of operational artifacts on public text‑sharing services.
A January 28 sample uploaded from Russia shows a similar infection chain but connects to gnome.com instead of downloading the backdoor.
Exfiltration
1 techniqueThe backdoor adds new capabilities such as recursive file listing, batch uploads, and remote file downloads.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A lightweight backdoor used in espionage campaigns against Ukrainian organizations. It is delivered via LNK and later CPL files, launches Microsoft Edge in headless mode with insecure debugging and security-bypass flags, enables access to local files, microphone, camera, and screen capture, fingerprints devices, connects to a WebSocket C2 for remote control, and in later variants supports recursive file listing, batch uploads, and remote file downloads via the Chrome DevTools Protocol.
A newly reported backdoor targeting Ukrainian entities, with possible links to Laundry Bear.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.