Back to Intelligence

DRILLAPP Backdoor: Russian Hackers Hijack Edge Debugging to Spy on Ukraine

SA
Security Arsenal Team
March 16, 2026
4 min read

As the conflict in Eastern Europe continues to evolve into a digital battlefield, cyber warfare remains a persistent and lethal frontier. Security Arsenal analysts are tracking a sophisticated new campaign targeting Ukrainian entities, dubbed DRILLAPP. According to intelligence from S2 Grupo's LAB52, this operation—likely orchestrated by Russian-linked threat actors—represents a significant escalation in stealth techniques, specifically by abusing legitimate browser development tools for malicious purposes.

While the geopolitical intent may be focused on Ukraine, the technical implications of DRILLAPP pose a risk to any organization relying on Chromium-based infrastructure. Here is our deep dive into the mechanics of this backdoor and how you can hunt for it in your environment.

The DRILLAPP Attack Vector

Attributed to the group known as Laundry Bear (also tracked as UAC-0190 or Void Blizzard), DRILLAPP is not your standard malware. Instead of relying solely on custom C2 servers that stand out like a sore thumb on a network, this malware leverages a "Living off the Land" (LotL) technique that targets the Microsoft Edge browser.

Abusing Remote Debugging Ports

The core innovation of DRILLAPP lies in its abuse of the Chrome DevTools Protocol (CDP), which Microsoft Edge utilizes. Developers commonly use remote debugging ports (usually port 9222) to troubleshoot browser instances running on different machines or containers.

The attackers behind this campaign weaponize this feature. By launching Edge with specific command-line arguments—specifically --remote-debugging-port=<port>—they transform the user's browser into an open backdoor. This allows the attacker to:

  1. Execute Arbitrary Code: Run JavaScript or shell commands within the context of the browser session.
  2. Data Exfiltration: Siphon cookies, session tokens, and browser history, effectively bypassing multi-factor authentication (MFA) for web applications.
  3. Blending in: Because the traffic utilizes the browser's own protocols and often looks like standard web debugging traffic, it can evade traditional network perimeter defenses that are tuned to block suspicious ports.

The Laundry Bear Connection

This is not the first rodeo for Laundry Bear. The group has a history of targeting Ukrainian defense forces. The DRILLAPP campaign shares tactical overlaps with previous operations, suggesting a refinement of their toolkit. By switching to browser-based debugging for C2, they reduce the footprint of their malware on the disk, making forensic analysis significantly more difficult.

Threat Hunting: Detecting DRILLAPP

Detecting this type of attack requires looking for anomalies in how legitimate applications are launched. Standard antivirus may flag the payload, but the persistence mechanism—launching Edge with debugging flags—requires behavioral analysis.

We have developed the following queries to help your SOC team identify potential DRILLAPP activity or similar browser-based abuses.

PowerShell Detection Script

Use this script on endpoints to scan for running instances of Microsoft Edge or Chrome that have remote debugging enabled.

Script / Code
Get-CimInstance Win32_Process -Filter "Name = 'msedge.exe' OR Name = 'chrome.exe'" | Where-Object {
    $_.CommandLine -match '\-\-remote-debugging-port'
} | Select-Object ProcessId, Name, CommandLine, @{Name="User"; Expression={$_.GetOwner().User}}

Microsoft Sentinel / Defender KQL Query

This query checks DeviceProcessEvents for browsers launched with debugging flags. It is crucial to triage these results, as legitimate developers may use these flags. Look for anomalies in the parent process (e.g., launched by Explorer.exe vs a code editor) or the user context.

Script / Code
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("msedge.exe", "chrome.exe")
| where ProcessCommandLine contains "--remote-debugging-port"
| extend Port = extract("--remote-debugging-port=(\d+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Port, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Mitigation Strategies

To protect your organization from DRILLAPP and similar browser-hijacking techniques, Security Arsenal recommends the following immediate actions:

  1. Restrict Remote Debugging via Group Policy: Enforce policies that prevent remote debugging in enterprise environments. You can disable this feature via the Windows Registry or Group Policy.

    • Path: Computer Configuration -> Administrative Templates -> Microsoft Edge -> Content Settings
    • Setting: "Configure the Remote Debugging Port" -> Set to Disabled or restrict to '0'.

  2. Network Segmentation and Egress Filtering: While debugging traffic uses HTTP/WebSockets, strict egress filtering on non-standard ports (like 9222) is advisable. Ensure that only authorized developer workstations can communicate with known internal debugging targets.

  3. User Awareness: Since the initial infection vector often involves phishing, train users to recognize suspicious attachments, particularly those purporting to be documents related to current events or urgent operational matters.

Conclusion

The DRILLAPP backdoor illustrates the relentless creativity of nation-state threat actors like Laundry Bear. By subverting trusted tools like developer debuggers, they challenge traditional security paradigms. Vigilance, combined with behavioral hunting and strict configuration management, remains your best defense against these stealthy espionage tactics.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socthreat-intelmanaged-socmalwarethreat-huntingrussiastealthapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action