DRILLAPP & Edge Debugging: Laundry Bear's Latest Stealth Tactic

Has anyone else dug into the LAB52 report regarding the DRILLAPP backdoor? It looks like UAC-0190 (Laundry Bear / Void Blizzard) is shifting tactics again, specifically targeting Ukrainian entities throughout February 2026. The standout feature here isn't just the payload, but the C2 mechanism abusing Microsoft Edge's remote debugging protocol.

By spawning instances of msedge.exe with debugging flags enabled, the actors can mask malicious traffic as standard browser activity. This makes network detection significantly harder since the traffic looks like legitimate web browsing over WebSockets. Given the tactical overlap with previous campaigns against defense forces, this seems to be a refinement of their espionage toolkit designed to evade heuristic detection.

Detection Ideas: You'll want to hunt for Edge processes spawned with non-standard arguments. Here is a quick PowerShell snippet to check your endpoints for suspicious command lines:

Get-WmiObject Win32_Process | Where-Object {$_.Name -eq 'msedge.exe'} | Select-Object ProcessId, @{Name='CmdLine';Expression={$_.CommandLine}} | Where-Object {$_.CmdLine -match '--remote-debugging'}


For those using Sentinel/MDE, this KQL query might help flag the behavior by looking for the specific debug port argument:

DeviceProcessEvents
| where FileName == "msedge.exe"
| where ProcessCommandLine has_any ("--remote-debugging-port", "--remote-allow-origins")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine


I'm curious if anyone has seen attempts to leverage this debug protocol outside of this specific campaign. It feels like a technique that could easily pivot to corporate environments for data exfiltration if left unchecked. How are you handling browser debug policies in your orgs?