Russia-Linked DRILLAPP Backdoor Weaponizes Edge Browser Debugging

A Russia-linked threat campaign is deploying a JavaScript-based backdoor called DRILLAPP against Ukrainian targets, using Microsoft Edge's built-in debugging capabilities to enable surveillance without triggering security alerts. S2 Grupo's LAB52 threat intelligence team published research linking the operation to Laundry Bear, a group also tracked as UAC-0190 and Void Blizzard.

The campaign, observed since February 2026, uses judicial and charity-themed lures to establish initial access before deploying DRILLAPP through Edge browser sessions running with intentionally weakened security configurations.

Edge Debugging as Attack Vector

DRILLAPP exploits the Chrome DevTools Protocol (CDP), an internal debugging interface present in all Chromium-based browsers including Microsoft Edge. When a browser launches with the --remote-debugging-port parameter, it exposes a powerful interface intended for developer troubleshooting—but equally useful for attackers.

The campaign launches Edge with parameters that effectively disable its security model:

• --no-sandbox - Disables process isolation
• --disable-web-security - Removes same-origin policy protections
• --allow-file-access-from-files - Enables access to local file system
• --use-fake-ui-for-media-stream - Bypasses camera/microphone permission prompts
• --auto-select-screen-capture-source=true - Enables silent screen capture
• --disable-user-media-security - Further weakens media access controls

With these flags active, the JavaScript backdoor can record through the webcam, capture microphone audio, take screenshots, and access local files—all without generating the permission dialogs that would normally alert users.

Campaign Evolution

The initial campaign variant arrived via LNK (Windows shortcut) files, a common initial access technique. A second version observed in late February switched to Windows Control Panel modules (.cpl files) while maintaining the same core infection chain.

Both versions deploy lure documents themed around Ukrainian judicial proceedings or charitable organizations—topics likely to resonate with the intended targets. The judicial angle suggests the attackers may be targeting individuals involved in war crimes documentation or legal proceedings related to the ongoing conflict.

Connection to Laundry Bear

LAB52 assesses with moderate confidence that this campaign shares operational infrastructure and techniques with Laundry Bear's prior PLUGGYAPE malware campaigns targeting Ukrainian defense forces. Laundry Bear has been active since at least mid-2024, consistently focusing on Ukrainian government and military targets.

The group's operations align with broader Russian state-sponsored cyber activity targeting Ukraine, though attribution to specific Russian intelligence agencies remains uncertain.

Why Browser-Based Backdoors Matter

Browser-based malware represents an evolution in espionage tradecraft. Traditional backdoors require custom executables that endpoint detection tools are designed to identify. A JavaScript payload running inside a legitimate browser process is harder to detect—it's just a browser doing browser things, at least from the operating system's perspective.

The debugging port abuse is particularly clever. Edge is a Microsoft product present on every Windows system. Running it with unusual parameters might trigger alert rules in some environments, but many organizations don't monitor browser launch arguments that closely.

Detection and Defense

Security teams defending Ukrainian organizations—or anyone concerned about similar techniques—should consider:

1. Monitor browser launch arguments - Alert on Edge or Chrome processes spawned with debugging parameters or disabled security flags
2. Restrict CDP access - If debugging isn't required, consider blocking the debugging port at the firewall level
3. Behavioral analysis for browser processes - Legitimate browsing doesn't involve sustained microphone access or systematic file enumeration
4. LNK and CPL file scrutiny - Both initial access vectors rely on users opening attachments that execute code

For organizations supporting Ukraine-related work, this campaign underscores that threat actors are actively developing new techniques to compromise targets. The judicial and charity themes suggest specific interest in humanitarian and legal activities—communities that may have less mature security infrastructure than military or government targets.

The continued evolution of Russian cyber operations against Ukraine, including water utility attacks and infrastructure targeting, indicates that cyber remains a persistent front in the ongoing conflict. Organizations providing support to Ukraine should assume they're targets and plan accordingly.