DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear

LAB52 at S2 Group observed a February 2026 campaign delivering a JavaScript-based backdoor called DRILLAPP that runs through the Edge browser. The malware leverages headless/remote-debugging browser flags and the Chrome DevTools Protocol to grant file system access and to capture microphone, camera, and screen content; two variants use LNK and CPL deployment methods. The report includes IOCs (file hashes, IPs, and Pastefy/short-link URLs) and attributes activity with low confidence to actors linked to Russia.