Spanish analysts traced a stealthy Edge based backdoor that records cameras, microphones and files, revealing novel use of DevTools protocol and Pastefy for remote control.
In February 2026, specialists from the Spanish company S2 Grupo LAB52 detected a new cyberattack against Ukrainian institutions. According to experts, Russian hackers are behind it, using the Edge browser as a covert tool for surveillance and data collection.
The campaign shares similarities with the previous Laundry Bear operation (also known as UAC-0190 or Void Blizzard), which targeted Ukraine’s Armed Forces through the PLUGGYAPE malware, The Hacker News reports.
How the new backdoor through Edge works
According to the study, the attack uses a variety of lures on legal and charitable topics to deploy a JavaScript-based backdoor that runs through the Edge browser. The malware named DRILLAPP can download and upload files, access the microphone and camera, and take pictures via the webcam.
Two different versions of the campaign were observed. In the early days of February, the criminals used a Windows shortcut (LNK file) that creates an HTML Application (HTA) in a temporary folder. This application then loaded a remote script from Pastefy – a service for posting text.
To ensure persistence, the LNK files were copied to the Windows Startup folder so they would automatically run after the system reboot. The infection chain then redirected to a URL with lures related to the installation of Starlink or the Come Back Alive Foundation.
The HTML file was launched through the Edge browser in headless mode and loaded a remote obfuscated script hosted on Pastefy. Edge was started with additional parameters that grant access to the local file system, the camera, the microphone, and screenshots without user interaction: –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security.
As a result, the malicious file effectively acts as a simplified backdoor: it provides access to the file system and allows recording audio, video from the camera, and screenshots through the browser. The first run also creates a device “digital fingerprint” using canvas fingerprinting, using Pastefy as channels to obtain a WebSocket URL for communicating with the command-and-control server.
“For security reasons, JavaScript does not allow remote file downloads.”
Alongside the first variant, a second campaign version was observed at the end of February 2026: now the attackers operate without LNK files and use Windows Control Panel modules, but the overall infection sequence remains largely unchanged. The backdoor itself has also been updated: now it supports recursive file enumeration, bulk data uploads to the server, and arbitrary file downloads to the device.
“Since JavaScript does not allow remote file downloads, the attackers use the Chrome DevTools Protocol (CDP) – an internal protocol of Chromium-based browsers that is activated only when the parameter –remote-debugging-port is present.”
Experts consider the backdoor to still be in early development. The early variant, which appeared in public access on January 28, 2026, exchanged data with the domain gnome[.]com, instead of loading the main payload from Pastefy.
“One of the most notable aspects is the use of the browser as a backdoor deployment channel, signaling the attackers’ intent to find new ways to evade detection”
Conclusion and defense implications
Spanish analysts emphasize that the browser as a tool for cybercrime gives attackers legitimate access to confidential resources and enables a wide range of dangerous actions without immediate system warnings. The presence of two campaign variants indicates the hackers’ adaptability and ongoing testing of new detection-evasion methods. Organizations are advised to enhance monitoring of Edge activity, carefully scrutinize suspicious HTA and LNK files, and restrict the use of non-standard browser launch parameters and remote debugging capabilities.
