Ukrainian organizations have been targeted in a new cyber-espionage campaign likely carried out by threat actors linked to Russia, according to a report by the threat intelligence team LAB52 at S2 Grupo.
Researchers say the activity, observed in February 2026, shares similarities with a previous operation conducted by the threat group Laundry Bear aka UAC-0190 or Void Blizzard, which previously targeted Ukrainian defense forces using the PLUGGYAPE malware family.
The latest campaign uses judicial and charity-themed lures to distribute a JavaScript-based backdoor called DRILLAPP that runs through the Microsoft Edge browser. Once deployed, the malware can upload and download files, access the victim’s microphone, and capture images using the webcam by exploiting built-in browser capabilities.
According to LAB52, the first version of the campaign appeared in early February and used Windows shortcut (LNK) files to create an HTML Application (HTA) file in the system’s temporary folder. The HTA then loads a remote script hosted on the legitimate paste service Pastefy.
To maintain persistence, the attackers copy the malicious LNK files into the Windows Startup folder, allowing them to run automatically after a reboot. Victims are then shown URLs containing lures related to installing the satellite internet service Starlink or supporting the Ukrainian charity Come Back Alive Foundation.
The HTML file is ultimately executed in headless mode through Microsoft Edge, which loads an obfuscated script from Pastefy. Attackers launch the browser with parameters that disable several security protections and enable access to the local file system, camera, microphone, and screen capture without requiring user interaction.
The backdoor also generates a unique device fingerprint using a technique known as canvas fingerprinting and uses Pastefy as a “dead drop” to retrieve a WebSocket address for command-and-control communications.
The malware sends the device fingerprint along with the victim’s country, determined from the system’s time zone. It checks for time zones associated with countries including the United Kingdom, Russia, Germany, France, China, Japan, the United States, Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland.
A second version of the campaign discovered in late February replaced LNK files with Windows Control Panel modules while leveraging a similar infection chain. The updated backdoor adds new capabilities such as recursive file enumeration, batch file uploads, and arbitrary file downloads.
Researchers believe the malware is still under development.