A new campaign targeting Ukrainian entities and attributed to actors linked to Russia employs various judicial- and charity-themed lures to deploy a JavaScript‑based backdoor that runs in the Edge browser.

Researchers at LAB52, the intelligence team at cybersecurity company S2 Group, have named the new campaign DRILLAPP.

The malware can upload and download files, leverage the microphone, and capture images through the webcam by exploiting the web browser's features, the researchers said.

In a blog post, they also point out there are two different versions of the campaign, “differentiated mainly by their timeline.”

The first variant dates back to early February. It uses a Windows shortcut (LNK) file to create an HTML Application (HTA) in the temporary folder, which then loads a remote script hosted on Pastefy, a legitimate paste service.

The LNK files are then copied to the Windows Startup folder so they launch automatically after a system reboot.

The attack chain then displays a URL containing lures related to installing Starlink or a Ukrainian charity named Come Back Alive Foundation, founded in 2014 and dedicated to supporting the Ukrainian Armed Forces.

“Finally, the execution of an HTML file is observed through the Microsoft Edge browser, which loads a remote script hosted on pastefy.app. This script is obfuscated using the open-source tool javascript-obfuscator,” said the researchers.

The second variant, detected in late February 2026, abandons the use of LNK files and adopts CPL files – Windows Control Panel modules that internally function as executable DLL libraries.

This new variant, however, exhibits behavior similar to the first one. The lures used in this case include an image of a weapons seizure report and a report from the Southern Office of the State Audit Service of Ukraine in the Mykolaiv region, which is displayed from the official website of the National Guard of Ukraine.

“The backdoor downloaded by the second variant of the campaign implements three new capabilities that allow recursive file listing, batch file uploading, and file downloading from the internet,” LAB52 said.

According to the researchers, the campaign, observed in February 2026, has been assessed to share overlaps with a prior campaign mounted by Laundry Bear, a group tracked by Microsoft as Void Blizzard.

Since 2024, Laundry Bear has conducted various cyber operations against Western government organizations. It’s highly probable that it is a Russian state-supported threat actor.

The hackers are specifically interested in the armed forces, government organizations, defence contractors, social and cultural organizations, and digital service providers.

---

Unlock more exclusive Cybernews content on YouTube.