ACCORDING to S2 Grupo's LAB52 threat intelligence team, Ukrainian entities have become the target of a new campaign likely linked to threat actors associated with Russia, with the campaign observed in February 2026 and overlapping with Laundry Bear (aka UAC-0190 or Void Blizzard) and a malware family known as PLUGGYAPE.
The attack uses a JavaScript-based backdoor codenamed DRILLAPP that runs through the Edge browser in headless mode, employing various judicial and charity-themed lures to load a remote script hosted on Pastefy, and uses LNK files to load an HTA in the temporary folder to establish persistence via the Windows Startup folder.
The backdoor can upload and download files, and access microphone, camera, and screen capture, with canvas fingerprinting and a Pastefy dead-drop resolver used to fetch a WebSocket URL for C2 communications. A second version identified in late February 2026 dropped the LNK approach for Windows Control Panel modules while upgrading the backdoor to support recursive file enumeration and arbitrary file download. An early variant observed on 28 January 2026 communicated with the domain gnome[.]com rather than downloading the primary payload.