A technical analysis by S2 Grupo LAB52 reported that Ukrainian entities were targeted in February 2026 by a campaign deploying a JavaScript backdoor called DRILLAPP that runs inside Microsoft Edge and can access files, microphone audio, camera video and screen images.
KEY FACTS
- Incident Campaign observed in February 2026 targeting Ukrainian entities
- Malware JavaScript backdoor named DRILLAPP running through Edge headless
- Delivery Initial LNK to HTA chain loading a remote script from Pastefy then later Control Panel modules
- Capabilities File access, recursive enumeration, microphone, camera, screen capture and WebSocket C2
The first iteration detected in early February used a Windows shortcut to create an HTA in the temporary folder that loaded an obfuscated remote script hosted on Pastefy. The shortcut files were copied to the Windows Startup folder so they run after a reboot.
The HTML application executed Microsoft Edge in headless mode with parameters such as –no-sandbox –disable-web-security –allow-file-access-from-files –use-fake-ui-for-media-stream –auto-select-screen-capture-source=true and –disable-user-media-security. Those options grant the browser access to the local file system and to camera and microphone without explicit user interaction.
DRILLAPP builds a device fingerprint using canvas fingerprinting and uses Pastefy as a dead drop resolver to fetch a WebSocket URL for command and control. The malware reports the fingerprint and derives the victim country from the system time zone, defaulting to the United States if no match is found.
A late February variant replaced LNK delivery with Windows Control Panel modules and added recursive file enumeration, batch uploads and arbitrary downloads. The attackers enable the Chrome DevTools Protocol by starting the browser with a remote debugging port to permit remote file downloads that plain JavaScript cannot perform. An early January variant was observed contacting a domain identified as gnome[.]com instead of Pastefy.
WHY IT MATTERS
The campaign demonstrates use of a common browser process to extend access to sensitive resources and to evade detection. The ability to capture audio, video and screen output increases the potential operational impact on compromised systems.