DRILLAPP
DRILLAPP is a newly reported backdoor malware family observed in February 2026 targeting Ukrainian organizations. Reporting attributes the activity with low confidence to the Russian-aligned threat actor Laundry Bear, also tracked as UAC-0190 and Void Blizzard, based on overlaps with earlier CERT-UA-reported tradecraft including charity-themed lures and use of public text-sharing services.
The malware was delivered in at least two observed variants. The first variant used LNK files that created HTML files in the temporary folder and loaded obfuscated scripts from pastefy.app. Lure themes included Starlink installation images and Come Back Alive charity requests. A later variant switched to CPL files while retaining similar behavior; its lure themes included a weapons seizure report and a document from the Southern Office of Ukraine’s State Audit Service displayed via the National Guard’s website.
DRILLAPP abuses Microsoft Edge headless mode and debugging features for stealth and capability expansion. It launches the browser with insecure parameters including --no-sandbox, --disable-web-security, --allow-file-access-from-files, --use-fake-ui-for-media-stream, --auto-select-screen-capture-source=true, and --disable-user-media-security. These settings enable local file access and automatically grant permissions for camera, microphone, and screen capture without user interaction. Reported capabilities include file system access, microphone audio capture, camera video capture, screen capture, generation of a hashed device fingerprint, time-zone checks, and WebSocket-based command-and-control.
The second variant added recursive file listing, batch uploads, and remote file download functionality. Operators also abused the Chrome DevTools Protocol via the browser remote-debugging port to bypass JavaScript restrictions on file downloads, modify the download path, and inject a script simulating user clicks to retrieve files from a remote server. Researchers assessed DRILLAPP as an early-stage malware family used in ongoing espionage against Ukrainian targets. Mentioned infrastructure and artifacts include pastefy.app for script retrieval and a related sample uploaded from Russia on 2026-01-28 that used a similar infection chain and connected to gnome.com instead of downloading the backdoor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Codenamed DRILLAPP, the malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam by taking advantage of the web browser's features.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Stealth
2 techniques
Stealth
Discovery
3 techniques
Discovery
It generates a hashed device fingerprint, detects select time zones, and connects to a WebSocket C2 for remote control.
Collection
4 techniques
Collection
Using deobfuscation techniques, it has been possible to partially recover the code of the artifact, which functions as a lightweight backdoor allowing the attacker to access the file system
These settings allow local file access and automatically grant permissions for the camera, microphone, and screen capture without user interaction.
Command and Control
3 techniques
Command and Control
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A lightweight backdoor used in espionage campaigns against Ukrainian organizations. It is delivered via LNK and later CPL files, launches Microsoft Edge in headless mode with insecure debugging and security-bypass flags, enables access to local files, microphone, camera, and screen capture, fingerprints devices, connects to a WebSocket C2 for remote control, and in later variants supports recursive file listing, batch uploads, and remote file downloads via the Chrome DevTools Protocol.
A newly reported backdoor targeting Ukrainian entities, with possible links to Laundry Bear.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.