A newly uncovered cyber-espionage campaign is drawing attention across the security community after researchers discovered a stealthy browser-based backdoor targeting Ukrainian organizations.

Security analysts from LAB52, the threat intelligence team at S2 Group, revealed details of the campaign in a technical analysis titled LAB52 which documents a new malware strain dubbed DRILLAPP. According to the researchers, the operation appears linked – though with low confidence – to a threat actor known as Laundry Bear and has been active since at least early 2026.

The campaign primarily targets Ukrainian entities using lures related to charities, military support initiatives, and official government reports. Its most notable innovation: deploying a backdoor through a web browser rather than traditional malware processes.

The technical details were first published in the research blog S2 Group and can be found in the original report here:

A New Type of Browser-Based Backdoor

Unlike many conventional malware families that rely on system services or background processes, DRILLAPP leverages a browser execution environment to perform surveillance and data theft.

The malicious JavaScript-based backdoor runs through Microsoft Edge, taking advantage of built-in browser features to interact with the infected system.

Once executed, the malware can:

• Upload and download files from the compromised system
• Capture screenshots of the device screen
• Access the webcam to record images
• Activate the microphone for audio capture
• Enumerate files across directories
• Communicate with remote command-and-control servers

Researchers say this technique is particularly stealthy because browsers are trusted applications frequently running on corporate systems.

By abusing legitimate browser capabilities, attackers can operate in an environment that security tools often consider safe.

How the Attack Works

The campaign begins with social engineering lures designed to trick users into launching malicious files.

Two main infection variants have been identified.

First Variant – LNK File Execution

The initial campaign wave, observed in early February 2026, used Windows shortcut files (.LNK).

When opened, the shortcut file:

1. Creates a hidden HTML file in the temporary folder
2. Loads a remote JavaScript payload hosted on a public text-sharing platform
3. Executes the script using Edge in headless mode

The browser is launched with multiple unsafe parameters, including:

• disabling web security
• allowing local file access
• auto-granting camera and microphone permissions
• enabling screen capture

These settings allow the attacker to monitor the victim without visible prompts.

To track victims, the malware generates a device fingerprint using screen resolution, system language, and browser fingerprinting techniques.

Second Variant – CPL File Delivery

Later versions of the campaign evolved significantly.

Instead of shortcut files, attackers began distributing Control Panel files (.CPL), executable libraries capable of running arbitrary code.

While the delivery method changed, the core functionality remained similar, with additional capabilities:

• Recursive file system enumeration
• Batch file uploads to attacker infrastructure
• Remote downloading of payloads using browser debugging tools

To bypass security restrictions in JavaScript downloads, attackers leveraged the Chrome DevTools Protocol, enabling file downloads through simulated browser actions.

Espionage Indicators and Infrastructure

The investigation uncovered multiple command-and-control endpoints used by the campaign.

Examples include:

• 80.89.224[.]13
• 188.137.228[.]162
• pastefy[.]app payload hosting services
• short-link[.]net redirect infrastructure

The attackers also distributed lure images related to:

• Starlink installations
• Ukrainian military support charities
• Government audit reports

These themes strongly suggest information-gathering operations related to the ongoing geopolitical conflict.

Why This Campaign Matters

The DRILLAPP campaign highlights a growing trend in modern cyber-espionage operations: abusing legitimate software environments rather than deploying traditional malware binaries.

Browsers provide a powerful platform for attackers because they already have access to sensitive system components such as:

• cameras
• microphones
• file downloads
• screen recording capabilities

By exploiting debugging features and launching browsers in headless mode, attackers can bypass some traditional endpoint security detection mechanisms.

This technique may signal a broader shift in attacker tradecraft toward browser-based malware delivery.

Global Implications for Organizations

Although this campaign primarily targets Ukrainian organizations, the tactics could easily be reused elsewhere.

Any organization that relies heavily on browser-based workflows—particularly government agencies, defense contractors, financial institutions, or telecommunications operators could be vulnerable.

For security teams across Europe, Asia, Africa, and the Middle East, the campaign demonstrates how threat actors are evolving beyond conventional malware to exploit trusted application environments.

Organizations looking to strengthen defenses against advanced threats can explore enterprise protection strategies from Saintynet Cybersecurity, which provides consulting and defensive cybersecurity solutions.

10 Security Recommendations for Organizations

Security teams should consider the following defensive measures:

1. Monitor browser process behavior for unusual execution parameters such as debugging ports or headless operation.
2. Restrict execution of LNK and CPL files received via email or downloaded from external sources.
3. Implement advanced endpoint detection and response tools capable of monitoring browser activity.
4. Block unauthorized use of browser debugging ports like 9222 within enterprise networks.
5. Monitor outbound WebSocket connections that could indicate command-and-control communications.
6. Deploy network filtering to block known malicious domains and paste-sharing services when appropriate.
7. Conduct threat hunting for indicators related to DRILLAPP campaigns.
8. Train employees to recognize social-engineering lures, particularly charity- or government-themed files.
9. Apply strict application control policies preventing unauthorized script execution.
10. Invest in continuous cybersecurity training and awareness programs available through saintynet.com to improve organizational resilience.

Cybersecurity teams can also review additional research and threat intelligence insights published for ongoing coverage of emerging attack campaigns.

Conclusion

The discovery of DRILLAPP marks another step in the evolution of cyber-espionage techniques.

By transforming a web browser into a surveillance tool, attackers are demonstrating creative ways to evade detection while exploiting trusted software environments.

While the campaign currently focuses on Ukrainian entities, the methods used are highly portable and could quickly spread to other geopolitical or commercial targets.

Security teams should take note: in the modern threat landscape, even everyday applications like web browsers can become powerful attack platforms.

CyberCory will continue monitoring developments around DRILLAPP and provide updates as new intelligence emerges.