RUSSIA-LINKED threat actors have deployed the DRILLAPP backdoor against Ukrainian entities, with a campaign observed in February 2026 that uses Edge debugging to evade detection. The operation, linked to Laundry Bear (aka UAC-0190, Void Blizzard), is described as an espionage effort targeting Ukrainian organisations and drawing on PLUGGYAPE malware family activity noted in related reports.
The researchers cited a LAB52 report published by the intelligence team at S2 Group, which says the activity shows low-confidence attribution to Laundry Bear after sharing tactics such as charity-themed lures or hosting artifacts on public text‑sharing services.
The DRILLAPP variants include LNK files that load obfuscated scripts from pastefy[.]app, and a later CPL-file variant where the backdoor gains capabilities such as recursive file listing, batch uploads and remote downloads, with the browser used in headless mode to access files, microphone, camera and screen.
The technique leverages the Chrome DevTools Protocol via the remote-debugging port to bypass download restrictions, and a January 28 sample linked to gnome[.]com suggests early campaign activity tied to the same actor.