Full Report
Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo's LAB52 threat intelligence team. The campaign, observed in February 2026, has been assessed to share overlaps with a prior campaign mounted by Laundry Bear (aka UAC-0190 or Void Blizzard) aimed at Ukrainian defense forces with a malware
Analysis Summary
# Threat Actor: Laundry Bear (UAC-0190 / Void Blizzard)
## Attribution & Identity
* **Actor Name:** Laundry Bear
* **Aliases:** UAC-0190, Void Blizzard
* **Associated State:** Russia (Assessed with high confidence to be linked to Russian interests)
* **Assessment:** Identified by S2 Grupo's LAB52 threat intelligence team following activity observed in February 2026.
## Activity Summary
The actor has recently launched a campaign targeting Ukrainian entities using a novel JavaScript-based backdoor. This activity follows a pattern of operations directed at Ukrainian defense forces, specifically overlapping with previous campaigns involving the PLUGGYAPE malware. The early 2026 campaign utilizes judicial and charity-themed lures to deliver a browser-based espionage tool.
## Tactics, Techniques & Procedures
* **Phishing & Lures:** Use of judicial and charity-themed lures (e.g., Starlink installation, Come Back Alive Foundation) to induce user interaction.
* **Persistence:** Copying Windows shortcut (LNK) files to the `%AppData%\Microsoft\Windows\Start Menu\Programs\Startup` folder to survive reboots.
* **Evasion (Living-off-the-Browser):** Executes Microsoft Edge in **headless mode** to remain invisible to the user.
* **Security Control Bypass:** Launches the browser with high-risk parameters:
* `--no-sandbox`
* `--disable-web-security`
* `--allow-file-access-from-files`
* `--use-fake-ui-for-media-stream`
* `--disable-user-media-security`
* `--remote-debugging-port` (used in later versions to bypass JS download restrictions).
* **Dead Drop Resolver:** Utilizes Pastefy (a legitimate paste service) to host malicious scripts and retrieve WebSocket C2 URLs.
* **Fingerprinting:** Uses **Canvas Fingerprinting** to uniquely identify victim machines during initial execution.
* **Protocol Abuse:** Leverages the **Chrome DevTools Protocol (CDP)** to facilitate remote file downloads and system interaction.
## Targeting
* **Sectors:** Defense forces, government (judicial themed), and non-profit/charity organizations.
* **Geography:** Primarily Ukraine.
* **Victims:** Ukrainian entities; specific mention of those interested in "Starlink" or the "Come Back Alive Foundation."
## Tools & Infrastructure
* **Malware:**
* **DRILLAPP:** A JavaScript-based backdoor that leverages browser debugging features for file manipulation, screen capture, and audio/video surveillance.
* **PLUGGYAPE:** Previously associated malware used against defense forces.
* **Delivery Files:** Windows Shortcut files (LNK), HTML Applications (HTA), and Windows Control Panel (CPL) modules.
* **Infrastructure:**
* gnome[.]com (Early variant testing domain)
* pastefy[.]app (Used for hosting payload and C2 resolution)
* WebSocket-based C2 communications.
## Implications
Laundry Bear is evolving its toolkit to bypass traditional endpoint detection by moving espionage capabilities into the browser environment. By abusing legitimate browser debugging parameters, the actor can perform highly intrusive actions (recording audio/video and accessing files) that may not trigger standard malware alerts. This shift suggests a trend toward "browser-as-a-backdoor" techniques to maintain stealth in highly contested environments like Ukraine.
## Mitigations
* **Process Monitoring:** Monitor for Microsoft Edge, Chrome, or other Chromium-based browsers running in `headless` mode, especially those with `--remote-debugging-port` or `--disable-web-security` flags.
* **Startup Inspection:** Audit the Windows Startup folder for suspicious LNK or CPL files.
* **Network Filtering:** Restrict access to legitimate paste sites like Pastefy within corporate or government environments unless there is a specific business need.
* **Browser Security:** Implement Group Policy Objects (GPO) to restrict the use of command-line arguments for browsers on end-user machines.
* **Endpoint Detection:** Deploy EDR solutions capable of detecting Chrome DevTools Protocol (CDP) abuse and unauthorized access to webcam/microphone hardware by browser processes.