Russia-linked threat actors target Ukrainian entities with DRILLAPP backdoor and use Edge debugging for stealth.

A new DRILLAPP backdoor campaign targets Ukrainian organizations, abusing Microsoft Edge debugging to evade detection. Observed in February 2026, it shows links to previous Russian-aligned operations by Laundry Bear APT group (aka UAC-0190, Void Blizzard) using the PLUGGYAPE malware family against Ukrainian defense forces, indicating ongoing espionage efforts.

“Certain tactics shared with a Laundry Bear campaign reported by CERT-UA in January have been observed, resulting in the activity being attributed to this group with low confidence. These include the use of charity‑themed lures or the hosting of operational artifacts on public text‑sharing services.” reads the report published by LAB52, the intelligence team at S2 Group.

The first DRILLAPP variant, seen in early February, spreads via LNK files that create HTML files in the temp folder, loading obfuscated scripts from pastefy.app. Lures range from Starlink installation images to Come Back Alive charity requests.

Executing Microsoft Edge in headless mode with relaxed security, it grants access to files, microphone, camera, and screen. It generates a hashed device fingerprint, detects select time zones, and connects to a WebSocket C2 for remote control.

“The browser is executed in headless mode, enabling a series of parameters such as –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security. These settings allow local file access and automatically grant permissions for the camera, microphone, and screen capture without user interaction.” continues the report. “Using deobfuscation techniques, it has been possible to partially recover the code of the artifact, which functions as a lightweight backdoor allowing the attacker to access the file system and record audio from the microphone, video from the camera, and the device’s screen, all through the browser.”

The second variant, detected in late February 2026, replaces LNK files with CPL files, Control Panel modules that act as executable DLLs. Despite this change, the behavior remains similar. Lures include a weapons seizure report and a document from the Southern Office of Ukraine’s State Audit Service displayed via the National Guard’s website.

The backdoor adds new capabilities such as recursive file listing, batch uploads, and remote file downloads. To bypass JavaScript restrictions on downloading files, attackers leverage the Chrome DevTools Protocol via the remote-debugging port, modifying the download path and injecting a script that simulates a user click to retrieve files from a remote server.

“For security reasons, JavaScript does not allow the remote downloading of files. This is why the attackers use the Chrome DevTools Protocol (CDP), an internal protocol of Chromium‑based browsers that can only be used when the –remote-debugging-port parameter is enabled.” continues the report.

A January 28 sample uploaded from Russia shows a similar infection chain but connects to gnome.com instead of downloading the backdoor. Researchers believe it represents early campaign activity linked to the same threat actor.

“The analysis conducted indicates that DRILLAPP is a recent artifact that is still in an early stage of development. One of the most notable aspects is the use of the browser to deploy a backdoor, which suggests that the attackers are exploring new ways to evade detection.” concludes the report. “The browser is advantageous for this type of activity because it is a common and generally non‑suspicious process, it offers extended capabilities accessible through debugging parameters that enable unsafe actions such as downloading remote files, and it provides legitimate access to sensitive resources such as the microphone, camera, or screen recording without triggering immediate alerts.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DRILLAPP)

On January 12, 2026, the CERT-UA team disclosed a targeted cyber-espionage campaign against the Ukrainian Armed Forces that abused charity-themed social engineering to deliver the PLUGGYAPE backdoor. The activity, observed between October and December 2025, is attributed with medium confidence to the russia-aligned threat actor known as Void Blizzard (Laundry Bear), tracked by CERT-UA as UAC-0190.

Detect UAC-0190 Attacks Leveraging PLUGGYAPE Malware Against Ukraine

As Ukraine approaches the fifth year of Russia’s full-scale invasion, the volume and intensity of offensive cyber campaigns targeting Ukraine and its allies remain exceptionally high. Security researchers estimate that approximately 40 Russia-aligned APT groups targeted Ukraine in the first half of 2023, with the number and sophistication of intrusions steadily increasing. In this latest case, the Armed Forces of Ukraine were targeted in a malicious campaign attributed to UAC-0190, which relied on the deployment of the PLUGGYAPE backdoor.

Register for SOC Prime Platform to keep abreast of the malicious activity linked to UAC-0190 and PLUGGYAPE. SOC Prime Team has recently released a curated set of detection rules addressing the ongoing group’s campaign against the defense and government sectors covered in the CERT-UA#19092 alert. Click the Explore Detections button to access relevant detections enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with dozens of SIEM, EDR, and Data Lake technologies.

Explore Detections

Security engineers can also use the “CERT-UA#19092” tag based on the relevant CERT-UA alert identifier to search for the detection stack directly and track any content changes.  For more rules to detect attacks related to the UAC-0190 adversary activity, security teams can search the Threat Detection Marketplace library leveraging the “UAC-0190,” “Void Blizzard,” or “Laundry Bear” tags based on the group identifier, as well as relevant “Pluggyape.v2” tag addressing the offensive tools used by threat actors in the latest campaign.

Additionally, users can refer to a relevant Active Threats item to access the AI summary, related detection rules, simulations, and the attack flow in one place.

Security teams can also rely on Uncoder AI to create detections from raw threat reports, document and optimize code, and generate Attack Flows. By leveraging threat intel from the latest CERT-UA alert, teams can auto-convert IOCs into custom queries ready to hunt in the selected SIEM or EDR environment.

Analyzing UAC-0190 Malicious Activity Covered In CERT-UA#19092 Alert

Between October and December 2025, in coordination with the Cyber Incident Response Team of the Armed Forces of Ukraine, CERT-UA investigated a series of targeted cyberattacks against members of the Ukrainian Armed Forces. The activity was conducted under the guise of legitimate charitable organizations and relied on the deployment of the PLUGGYAPE backdoor.

To initiate the infection chain, adversaries contacted victims via popular messaging applications, like Signal and WhatsApp, encouraging them to visit a website impersonating a well-known charitable foundation. They were prompted to download so-called “documents,” which in reality were malicious executable files, most often distributed inside password-protected archives. In some cases, the executable was delivered directly through the messenger and commonly used the misleading extension “.docx.pif”. The PIF file was a PyInstaller-packaged executable, and the embedded payload was written in Python and identified as the PLUGGYAPE backdoor.

Notably, earlier iterations of the campaign, observed in October 2025, leveraged executables with the “.pdf.exe” extension. These files acted as loaders responsible for downloading a Python interpreter and an early version of PLUGGYAPE from public platforms such as Pastebin.

Starting December 2025, CERT-UA identified a significantly enhanced and obfuscated version of the malware, designated PLUGGYAPE.V2. This version introduced support for the MQTT protocol for command-and-control communications and implemented multiple anti-analysis and anti-virtualization checks aimed at evading detection and sandbox execution.

CERT-UA highlights the continued evolution of the cyber threat landscape, noting that initial access increasingly relies on trusted communication channels, including legitimate user accounts, Ukrainian mobile phone numbers, and the use of Ukrainian-language text, voice, and video communications. In many cases, attackers demonstrate detailed knowledge of the targeted individual or organization. As a result, widely used messaging platforms on mobile devices and workstations have become a primary malware delivery vector.

To minimize the risks of exploitation attempts, rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies and top cybersecurity expertise to stay ahead of emerging threats while maintaining operational effectiveness. 

MITRE ATT&CK Context

Leveraging MITRE ATT&CK offers in-depth insight into the latest UAC-0190 malicious campaign against Ukraine. The table below displays all relevant Sigma rules mapped to the associated ATT&CK tactics, techniques, and sub-techniques.

The post UAC-0190 Attack Detection: Fake Charity Lures Used to Deploy the PLUGGYAPE Backdoor Against the Ukrainian Armed Forces appeared first on SOC Prime.