Ethical Hacking News
A new Russia-linked APT group has unleashed a DRILLAPP backdoor campaign targeting Ukrainian organizations, employing stealthy Microsoft Edge debugging tactics to evade detection. This campaign highlights the growing threat posture of Russian-aligned APT actors in the region and underscores the need for robust cybersecurity measures to detect and respond to emerging threats like this.
The Russia-linked APT group has leveraged the DRILLAPP backdoor to surveil Ukrainian targets. The attackers exploit vulnerabilities in Microsoft Edge debugging to achieve stealth and evade detection. The use of DRILLAPP backdoor enables attackers to bypass conventional security measures, accessing sensitive information without user interaction. Researchers have identified two variants of the DRILLAPP backdoor, spreading via LNK files or CPL files. The attackers use Chrome DevTools Protocol to bypass JavaScript restrictions and inject scripts that simulate user clicks. Organizations must prioritize their cybersecurity posture with regular software updates, secure network configurations, and employee education programs.
The cybersecurity landscape has been further complicated by the revelation of a Russia-linked Advanced Persistent Threat (APT) group leveraging the DRILLAPP backdoor to surveil Ukrainian targets. This recent development underscores the growing threat posture of Russian-aligned APT actors in the region, highlighting their willingness to employ sophisticated tactics to evade detection and compromise sensitive information.
According to intelligence reports, the DRILLAPP backdoor campaign has been detected targeting Ukrainian organizations, with a specific emphasis on using Microsoft Edge debugging as a means of achieving stealth. This approach allows the attackers to exploit vulnerabilities in the browser's security protocols, generating a hashed device fingerprint, detecting select time zones, and connecting to a WebSocket C2 for remote control.
The use of Microsoft Edge debugging enables the attackers to bypass conventional security measures, allowing them to execute files, access the microphone, camera, and screen without user interaction. This technique also grants permission for local file access, further underscoring the severity of the vulnerability exploited by the DRILLAPP backdoor.
Researchers have identified two variants of the DRILLAPP backdoor, with the first detected in early February spreading via LNK files that create HTML files in the temp folder, loading obfuscated scripts from pastefy.app. The second variant, observed later in February, replaces LNK files with CPL files, Control Panel modules that act as executable DLLs.
Both variants exhibit similar behavior, using the Chrome DevTools Protocol to bypass JavaScript restrictions on downloading files and injecting a script that simulates a user click to retrieve files from a remote server. This approach enables the attackers to download and upload files without triggering immediate alerts, further highlighting the sophistication of their tactics.
The analysis conducted by researchers indicates that DRILLAPP is a recent artifact still in an early stage of development. The use of the browser as a means of deploying a backdoor suggests that the attackers are exploring new avenues for evasion, leveraging the browser's debugging capabilities to achieve stealth and extend their access to sensitive resources.
The implications of this campaign are significant, with potential consequences for Ukraine's national security and defense infrastructure. As APT actors continue to evolve and refine their tactics, it is essential that security professionals remain vigilant and proactive in monitoring for suspicious activity and developing effective countermeasures.
The recent detection of a similar infection chain by researchers, linking the same threat actor to a January 28 sample from Russia, underscores the ongoing nature of this campaign. The analysis conducted on these samples indicates that DRILLAPP is still in an early stage of development, with potential future variants expected to introduce additional capabilities and evasion techniques.
In light of these developments, it is crucial that organizations prioritize their cybersecurity posture, implementing robust measures to detect and respond to APT campaigns. This includes regular software updates, secure network configurations, and employee education programs focused on security awareness and phishing prevention.
As the threat landscape continues to evolve, it is essential for organizations and governments to remain informed and proactive in addressing emerging threats like this DRILLAPP backdoor campaign. By staying vigilant and collaborating with industry partners and intelligence agencies, we can work together to mitigate the impact of such campaigns and protect sensitive information from falling into the wrong hands.
Related Information:
https://www.ethicalhackingnews.com/articles/Russia-linked-APT-Unleashes-DRILLAPP-Backdoor-Campaign-Against-Ukrainian-Targets-Employing-Stealthy-Microsoft-Edge-Debugging-Tactics-ehn.shtml
https://securityaffairs.com/189519/malware/russia-linked-apt-uses-drillapp-backdoor-to-spy-on-ukrainian-targets.html
https://thehackernews.com/2026/03/drillapp-backdoor-targets-ukraine.html
Published: Mon Mar 16 16:42:21 2026 by llama3.2 3B Q4_K_M
