Threat Intel - Russia-linked APT Uses DRILLAPP Backdoor
Basically, Russian hackers are using a sneaky tool to spy on Ukraine.
A new cyber espionage campaign targets Ukrainian organizations using the DRILLAPP backdoor. Linked to the Laundry Bear APT group, this operation employs stealthy techniques to evade detection. The ongoing threat raises significant security concerns for affected entities.
The Threat
In February 2026, a new cyber espionage campaign emerged, targeting Ukrainian organizations with the DRILLAPP backdoor. This operation is linked to the Laundry Bear APT group, also known as UAC-0190 or Void Blizzard. The attackers are employing sophisticated techniques to evade detection, notably by using Microsoft Edge debugging. This method allows them to carry out their activities without raising immediate alarms.
The DRILLAPP backdoor is designed to exploit vulnerabilities in the Edge browser, enabling attackers to gain unauthorized access to sensitive information. By leveraging this tool, they can monitor activities, record audio and video, and manipulate files on infected devices. This campaign is a continuation of previous Russian-aligned operations, indicating a persistent threat to Ukrainian entities.
Who's Behind It
The Laundry Bear APT group has a history of targeting Ukrainian defense forces and leveraging various malware families, including PLUGGYAPE. Their tactics often involve using deceptive lures, such as charity-themed messages or documents related to national security. This approach not only increases the likelihood of successful infiltration but also helps them blend in with legitimate communications.
The latest findings suggest that the attackers are refining their methods. The use of browser-based tools for espionage is a notable shift, showcasing their adaptability and willingness to explore new avenues for exploitation. This evolution in tactics poses significant challenges for cybersecurity defenses.
Tactics & Techniques
The DRILLAPP backdoor operates by creating HTML files in the temporary folder of the infected system. It uses obfuscated scripts to connect to a WebSocket command and control (C2) server, allowing remote control of the compromised device. One of the most alarming features is its ability to execute in headless mode, which means it can run without a visible user interface, making it harder for victims to detect.
Additionally, the attackers utilize CPL files (Control Panel modules) to maintain functionality while altering their approach. This flexibility in their tactics highlights their commitment to maintaining access and control over targeted systems. The ability to bypass JavaScript restrictions for downloading files further complicates detection efforts, making it crucial for organizations to remain vigilant.
Defensive Measures
Organizations, especially those in Ukraine, must prioritize cybersecurity awareness and implement robust defenses against such threats. Regular training on recognizing phishing attempts and suspicious communications can significantly reduce the risk of infection. Additionally, employing advanced security solutions that monitor for unusual browser activity can help identify potential breaches early.
It's also essential to keep software updated and patched to mitigate vulnerabilities that attackers might exploit. By adopting a proactive stance and fostering a culture of security, organizations can better protect themselves against evolving threats like the DRILLAPP backdoor campaign.
Security Affairs