Two variants of the campaign have been identified, differentiated mainly by their timeline.<\/p>\n\n\n\n
First variant<\/h1>\n\n\n\n
The first identified variant dates back to early February. It uses LNK files that create an HTML file in the temporary folder, which then loads a remote script hosted on pastefy.app. For persistence, the executable copies all files with the .lnk extension to the \u201c%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\u201d folder.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-12-16-32-27-1024x80.png\")
Next, a URL containing the bait will be displayed. In this first variant, the bait can cover different topics, such as an image related to the installation of Starlink. Bait simulating requests from the Come Back Alive foundation, a Ukrainian charity founded in 2014 and dedicated to supporting the Ukrainian Armed Forces, has also been observed.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-10-17-13-13-1024x512.png\")
Finally, the execution of an HTML file is observed through the Microsoft Edge browser, which loads a remote script hosted on pastefy.app. This script is obfuscated using the open-source tool javascript-obfuscator.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/image-1024x424.png\")
The browser is executed in headless mode, enabling a series of parameters such as –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security. These settings allow local file access and automatically grant permissions for the camera, microphone, and screen capture without user interaction.<\/p>\n\n\n\n
Using deobfuscation techniques, it has been possible to partially recover the code of the artifact, which functions as a lightweight backdoor allowing the attacker to access the file system and record audio from the microphone, video from the camera, and the device\u2019s screen, all through the browser.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-11-22-53-03-1024x436.png\")
When executed for the first time, the malware generates a device fingerprint using Canvas Fingerprinting combined with other data such as screen size and system language. These values are hashed to create the fingerprint. This fingerprint is then stored in the \u201cstream_client_id\u201d field within the browser\u2019s persistent storage.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-11-22-48-16-1024x367.png\")
This device fingerprint is sent together with the victim\u2019s country, which is determined based on the device\u2019s time zone. Only the time zones corresponding to the United Kingdom, Russia, Germany, France, China, Japan, the United States, Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland are implemented. In any other case, the system defaults to returning the United States.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/image-1.png\")
The artifact communicates with the command\u2011and\u2011control server through a WebSocket obtained from a URL hosted on pastefy.app, using localhost:8000 as the default value if the URL is unavailable. This default value is expected to be replaced with a real IP address in later versions and is believed to be a debugging trace.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/image-2.png\")
Second variant<\/h1>\n\n\n\n
The second variant, detected in late February 2026, abandons the use of LNK files and adopts CPL files\u2014Windows Control Panel modules that internally function as executable DLL libraries. Although a change in the deployment method has been observed, this new variant exhibits behavior similar to the first one. The lures used in this case include an image of a weapons seizure report and a report from the Southern Office of the State Audit Service of Ukraine in the Mykolaiv region, which is displayed from the official website of the National Guard of Ukraine.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-10-11-38-58.png\")
The backdoor downloaded by the second variant of the campaign implements three new capabilities that allow recursive file listing, batch file uploading, and file downloading from the internet.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-11-23-39-11.png\")
For security reasons, JavaScript does not allow the remote downloading of files. This is why the attackers use the Chrome DevTools Protocol (CDP), an internal protocol of Chromium\u2011based browsers that can only be used when the –remote-debugging-port parameter is enabled.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/image-3.png\")
This is initially used to modify the path where the file will be saved.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-11-23-48-18.png\")
A small script is then injected into the browser, which simulates a user click and downloads the file from the remote server.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-12-00-01-02-1024x270.png\")
Early activity<\/h1>\n\n\n\n
Additionally, a sample dated January 28 and uploaded from Russia has been identified, in which a similar infection chain and set of commands are used. However, in this case, instead of downloading the backdoor, the artifact establishes communication with the website gnome.com, which does not contain any malicious code.<\/p>\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/03\/Captura-desde-2026-03-12-00-46-08-1024x202.png\")
This sample may represent early activity of the campaign and is attributed to the same actor with a high degree of confidence, given its similarity to the samples from the first variant.<\/p>\n\n\n\n
Conclusion<\/h1>\n\n\n\n
The analysis conducted indicates that DRILLAPP is a recent artifact that is still in an early stage of development. One of the most notable aspects is the use of the browser to deploy a backdoor, which suggests that the attackers are exploring new ways to evade detection. The browser is advantageous for this type of activity because it is a common and generally non\u2011suspicious process, it offers extended capabilities accessible through debugging parameters that enable unsafe actions such as downloading remote files, and it provides legitimate access to sensitive resources such as the microphone, camera, or screen recording without triggering immediate alerts.<\/p>\n\n\n\n