Weaponized Browsers: How the ‘DRILLAPP’ Backdoor Turns Microsoft Edge into an Espionage Tool
Ddos 
Lure displayed with information about the Starlink installation | Image: LAB52
Cybersecurity researchers at LAB52, the threat intelligence arm of S2 Group, have uncovered a novel campaign targeting Ukrainian entities that turns a common workplace tool—the web browser—into a high-powered espionage device. The campaign, which intensified throughout February 2026, deploys a custom JavaScript-based backdoor dubbed “DRILLAPP”.
The attackers utilize social engineering lures themed around judicial matters and charitable causes to trick victims into initiating the infection. While attribution remains a complex puzzle, LAB52 has noted tactical overlaps with the Russian-linked group Laundry Bear, leading to a low-confidence attribution to this specific threat actor.
As the report explains:
“The campaign… employs various judicial and charity themed lures to deploy a JavaScript-based backdoor that runs through the Edge browser and has been named DRILLAPP by LAB52”.
What makes DRILLAPP particularly dangerous is its method of execution. Rather than running as a standalone malicious file that might be easily flagged by antivirus software, it leverages the legitimate capabilities of the Microsoft Edge browser.
By launching the browser with specific debugging parameters, the attackers can force it to perform actions it was never intended to do for an end-user, such as silently downloading remote scripts or accessing hardware.
The backdoor grants attackers expansive control, including:
- File Manipulation: The ability to upload and download files to and from the compromised system.
- Sensory Surveillance: Leveraging browser permissions to activate the microphone or capture images via the webcam.
- Screen Recording: Capturing the victim’s desktop activity in real-time.
“One of the most notable aspects is the use of the browser to deploy a backdoor, which suggests that the attackers are exploring new ways to evade detection“.
The researchers identified two distinct stages of the campaign. The first variant, appearing in early February, utilized malicious LNK files to create temporary HTML files that fetched scripts from public text-sharing services like pastefy.app.
A second, earlier variant discovered in late January showed the attackers testing their infrastructure by establishing communication with legitimate sites like gnome.com to verify their connection methods before deploying the final backdoor.
“The browser is advantageous for this type of activity because it is a common and generally non-suspicious process… it offers extended capabilities accessible through debugging parameters that enable unsafe actions”.
The researchers identified two distinct stages of the campaign. The first variant, appearing in early February, utilized malicious LNK files to create temporary HTML files that fetched scripts from public text-sharing services like pastefy.app.
A second, earlier variant discovered in late January showed the attackers testing their infrastructure by establishing communication with legitimate sites like gnome.com to verify their connection methods before deploying the final backdoor.
“The browser is advantageous for this type of activity because it is a common and generally non-suspicious process… it offers extended capabilities accessible through debugging parameters that enable unsafe actions“.
As DRILLAPP represents a “recent artifact” still in active development, its discovery provides a critical window for defenders to harden their systems against browser-based exploitation.
Defense Recommendations:
- Audit Browser Launch Arguments: Monitor for instances of Edge or Chrome being launched with unusual debugging or remote-control flags.
- Restrict LNK Files: Be extremely cautious with
.lnk(shortcut) files received via email or downloaded from unfamiliar sources. - Monitor Public Paste Sites: Watch network traffic for unauthorized connections to services like
pastefy.appor similar text-sharing platforms. - Review Browser Permissions: Educate users on the importance of “Microphone” and “Camera” permission prompts and audit which applications have persistent access.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
