A campaign utilizing the DRILLAPP backdoor has been identified as targeting Ukrainian organizations, marking a continuation of cyber operations attributed to Russia-linked threat actors. Discovered in February 2026, the campaign involves deliberate abuse of Microsoft Edge debugging capabilities, enabling threat actors to evade detection with considerable effectiveness. This tactic has been directly associated with the Laundry Bear Advanced Persistent Threat (APT) group, also tracked as UAC-0190 or Void Blizzard — a group with a documented history of deploying the PLUGGYAPE malware family against Ukrainian targets.
The DRILLAPP Campaign Relies on Browser Debugging to Stay Hidden
The most striking element of this campaign is how threat actors exploit built-in debugging features within Microsoft Edge to conceal malicious activity. Rather than relying on traditional injection techniques that security tools are well-equipped to flag, DRILLAPP is designed to blend into legitimate browser processes by taking advantage of Edge’s remote debugging interface. This allows the backdoor to operate within trusted application activity, dramatically reducing its detection footprint against conventional endpoint security measures.
By operating under the cover of a recognized browser process, the malware achieves a longer operational lifespan within compromised environments. The technique represents a practical shift in how Russian-aligned groups approach stealth — moving away from overtly malicious payloads toward methods that exploit the expected behavior of everyday software tools already present on target systems.
Laundry Bear APT Connects This Campaign to a Broader Pattern of Operations
Strong evidence points to the Laundry Bear APT group as the orchestrators behind this campaign. Operating under multiple aliases, including UAC-0190 and Void Blizzard, Laundry Bear has carried out repeated operations against Ukrainian entities and is well-known within the threat intelligence community for its use of the PLUGGYAPE malware family. The presence of PLUGGYAPE-linked tradecraft in the DRILLAPP campaign reinforces attribution and points to a deliberate continuation of the group’s long-running focus on Ukrainian targets.
The group’s operational history reflects a sustained interest in cyber espionage against organizations tied to Ukrainian national interests, government functions, and critical infrastructure. Their ability to adapt tooling — as demonstrated by the move toward Edge debugging abuse — signals that Laundry Bear remains an active and capable threat actor that continues to develop its tradecraft in response to evolving defensive capabilities.
Ukrainian Cybersecurity Faces Mounting Pressure From Increasingly Refined Tactics
The deployment of the DRILLAPP backdoor underlines the growing pressure placed on Ukrainian cybersecurity infrastructure by Russian-aligned threat groups. As these actors continue refining their methods, the gap between attacker capability and standard defensive posture becomes a pressing concern for organizations operating within Ukraine and those with ties to the region.
The integration of legitimate application features — such as browser debugging interfaces — into malware operations represents a broader trend in which threat actors weaponize trusted tools to sidestep detection. For cybersecurity teams, this means that signature-based and process-based detection alone is no longer sufficient. Behavioral analysis, network traffic inspection, and anomaly detection tied to browser process activity are becoming increasingly necessary components of a well-rounded defense strategy.
Security professionals defending Ukrainian networks and critical infrastructure are urged to review exposure to browser-based debugging interfaces and evaluate whether remote debugging features are necessary within their environments. Where such features are not required, disabling them reduces the available attack surface that groups like Laundry Bear actively seek to exploit.
