Russia-linked DRILLAPP campaign targeting Ukrainian entities
Campaign
Summary
Hide ▲
Show ▼
A Russia-linked campaign is targeting Ukrainian entities with the DRILLAPP browser backdoor, expanding a covert operation that uses judicial and charity-themed lures. The activity was observed in February 2026 and matters because it combines stealthy delivery with browser-based access to sensitive device features. The campaign appears to be evolving across multiple variants, suggesting an active operational thread rather than a one-off intrusion.
Related Happenings
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
Windows zero-day exploitation wave
Exploitation Wave
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Storm-1175 high-tempo Medusa ransomware campaign
Campaign
First: 07.04.2026 13:02
Last: 07.04.2026 13:02
Sources 1
About this happening:
**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-tempo Medusa ransomware campaign
CampaignAbout this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Timeline
-
16.03.2026 11:07 1 articles · 2mo ago
Early DRILLAPP variant communicates with gnome[.]com
Detection Ioc UpdateAn early DRILLAPP variant detected in the wild on January 28, 2026 communicated only with gnome[.]com instead of downloading its primary payload from Pastefy, indicating an early-stage browser-based backdoor build.
Show sources
- DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage — thehackernews.com — 16.03.2026 11:07
-
16.03.2026 11:07 2 articles · 2mo ago
Russia-linked DRILLAPP campaign targets Ukrainian entities
Initial DisclosureA campaign targeting Ukrainian entities was assessed as likely orchestrated by threat actors linked to Russia and overlapping with Laundry Bear/UAC-0190/Void Blizzard activity against Ukrainian defense forces. The operation used judicial and charity-themed lures to deploy DRILLAPP, a JavaScript-based backdoor that runs through Microsoft Edge in headless mode, uses Chrome DevTools Protocol via the --remote-debugging-port parameter, and evolved through early-February LNK/HTA delivery and late-February Windows Control Panel module delivery.
Show sources
- DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage — thehackernews.com — 16.03.2026 11:07
- DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage — thehackernews.com — 16.03.2026 11:07