{"id":233439,"date":"2026-03-17T02:22:03","date_gmt":"2026-03-17T07:22:03","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/03\/drillapp-backdoor-targets-ukraine-abuses-microsoft-edge-debugging-for-stealth-espionage"},"modified":"2026-03-17T02:22:03","modified_gmt":"2026-03-17T07:22:03","slug":"drillapp-backdoor-targets-ukraine-abuses-microsoft-edge-debugging-for-stealth-espionage","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/03\/drillapp-backdoor-targets-ukraine-abuses-microsoft-edge-debugging-for-stealth-espionage","title":{"rendered":"DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/drillapp-backdoor-targets-ukraine-abuses-microsoft-edge-debugging-for-stealth-espionage.jpg\"><\/a><\/p>\n<p>To establish persistence, the LNK files are copied to the Windows Startup folder so that they are automatically launched following a system reboot. The attack chain then displays a URL containing lures related to installing Starlink or a Ukrainian charity named Come Back Alive Foundation.<\/p>\n<p>The HTML file is eventually executed via the Microsoft Edge browser in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Headless_browser\">headless mode<\/a>, which then loads the remote obfuscated script hosted on Pastefy.<\/p>\n<p>The browser is executed with additional parameters like \u2013no-sandbox, \u2013disable-web-security, \u2013allow-file-access-from-files, \u2013use-fake-ui-for-media-stream, \u2013auto-select-screen-capture-source=true, and \u2013disable-user-media-security, granting it access to the local file system, as well as camera, microphone, and screen capture without requiring any user interaction.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To establish persistence, the LNK files are copied to the Windows Startup folder so that they are automatically launched following a system reboot. The attack chain then displays a URL containing lures related to installing Starlink or a Ukrainian charity named Come Back Alive Foundation. The HTML file is eventually executed via the Microsoft Edge [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[418,1492],"tags":[],"class_list":["post-233439","post","type-post","status-publish","format-standard","hentry","category-internet","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/233439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=233439"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/233439\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=233439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=233439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=233439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}