Security researchers have identified a new cyber-espionage campaign originating from Russia that actively targets Ukrainian organizations. The operation, first observed in February, utilizes malicious documents disguised as Starlink satellite internet terminal requests and charitable appeals. Cybersecurity firm Lab52 reported that attackers distribute spyware to compromise sensitive systems within the country during this specific window of activity.
The deployed backdoor software, known internally as DrillApp, enables remote attackers to upload and download arbitrary files from infected computers. This malicious tool provides capabilities to record audio through the device microphone and capture images directly from the webcam. Attackers can also take screenshots of the victim’s screen to gather additional intelligence on their target environment.
Researchers attribute this campaign to the Russian-linked hacker group known as Laundry Bear, which is also tracked under the alias Void Blizzard. This specific actor has been active since at least 2024 and has previously targeted NATO member states alongside Ukrainian institutions. Ukraine’s computer emergency response team, CERT-UA, previously reported a separate operation by the group targeting the country’s armed forces earlier this year.
Ukraine introduced a verification system for Starlink terminals earlier in February after authorities confirmed that Russian forces began installing the technology on attack drones. The malicious files in this campaign impersonate requests related to the verification process for these specific terminals. This timing suggests the attackers are exploiting current security concerns regarding satellite communications in the conflict zone.
Once opened, the malicious file executes through the Microsoft Edge browser to allow attackers access to the victim’s file system. Security experts note that attackers use web browsers to deliver malware because browsers often possess legitimate access to sensitive device features. This method makes malicious activity harder to detect because browsers are rarely flagged as suspicious by standard security tools.
The campaign relies on similar techniques used in previous operations, including charity-themed lures and hosting malicious components on public text-sharing services. Documents impersonating requests from Come Back Alive, a Ukrainian charity that supports the armed forces, serve as the primary bait for victims. Researchers found two distinct versions of the malware used in the campaign which differed primarily in the lures used to trick victims.
Lab52 analysts stated that the spyware appears to be in an early stage of development, suggesting the attackers are experimenting with new methods to evade defenses. Microsoft has previously reported that it has successfully compromised organizations across several sectors in Ukraine, including education and transportation. This indicates a broader pattern of targeting critical infrastructure beyond just the military sectors during ongoing hostilities.
Security researchers have also noted overlaps between Laundry Bear’s tactics and those used by the Russian military intelligence threat actor APT28. Analysts generally consider them distinct actors despite the similarities in their operational techniques and target selection. This distinction remains important for attribution purposes as international bodies track Russian hybrid warfare activities in the region.
The campaign highlights the evolving nature of cyber threats where social engineering blends with technical exploits to maximize access and data theft. Organizations must remain vigilant against phishing attempts that use current events and humanitarian concerns to bypass standard security protocols. Future developments in this sector will likely focus on more sophisticated browser-based delivery mechanisms that bypass traditional endpoint protections.
Monitoring these groups remains critical for understanding the broader strategic objectives of state-sponsored actors in the ongoing conflict. Intelligence agencies will continue to track Laundry Bear activities as they expand their capabilities and target scope across the region. The situation underscores the need for robust cybersecurity awareness training among personnel who handle sensitive communication regarding international aid or technology.
