Campaigns
DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage

DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage

Cyber EspionageBackdoorMicrosoft EdgeUkraine
The DRILLAPP backdoor campaign targets Ukrainian entities, leveraging Microsoft Edge debugging features for stealth espionage. It is linked to Russian threat actors and shares similarities with previous campaigns by the Laundry Bear group.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Void BlizzardRU
LAUNDRY BEARUAC-0190

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTIONS

DET0080 Monitor JavaScript Execution [T1059.007] (AN0219)

Detection Strategy

ID

Name

Analytic ID

Analytic Description

DET0080

Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)

AN0219

Adversary sends crafted HTTP/S (or other service) input to an Internet-facing app (IIS/ASP.NET, API, device portal). Chain: (1) abnormal request patterns to public endpoint → (2) elevated 4xx/5xx or unusual methods/paths → (3) server process (w3wp.exe/other service) spawns shell/LOLbins or loads non-standard modules → (4) optional outbound callback from the host/container.

AN0220

Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback.

AN0221

Adversary targets macOS-hosted public services (e.g., nginx, node). Chain: suspicious inbound request → service crash/5xx → service spawns shell or writes file → new outbound connection.

AN0222

Adversary exploits containerized app via ingress or service. Chain: (1) suspicious request in ingress/app logs → (2) container process spawns a shell/exec/sidecar (kubectl exec/docker exec) → (3) egress to Internet or metadata service (169.254.169.254).

AN0223

Adversary targets cloud-hosted public endpoints. Chain: (1) ALB/ELB/Cloud LB logs show exploit-like inputs or error spikes → (2) workload spawns shell or reaches metadata API → (3) egress to new external hosts.

AN0224

Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback.

AN0225

Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2.



DET0090 Detect Web Protocol Anomalies [T1071.001] (AN0220)

Detection Strategy

ID

Name

Analytic ID

Analytic Description

DET0620

Detection of Web Protocols

AN1681

Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.

AN1682

Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.


Observed Countries1

UA (791)