Russia-linked espionage campaign targeting Ukraine using Starlink and charity lures

Steven

Russia-linked espionage campaign targeting Ukraine using Starlink and charity lures

Summary

A Russia-linked group tracked as Laundry Bear (also Void Blizzard) ran a cyber-espionage campaign in February targeting Ukrainian organisations. The attackers used malicious documents impersonating a well-known Ukrainian charity, Come Back Alive, and Starlink terminal verification materials to deliver a new backdoor named DrillApp. The malware runs via the Microsoft Edge browser and can upload/download files, record audio, capture webcam images and record the screen.

Key Points

  • The campaign used charity-themed lures (Come Back Alive) and Starlink verification imagery to trick victims into opening malicious files.
  • DrillApp is a browser-executed backdoor that can access files, microphone, webcam and screen recordings.
  • Attack components were hosted on public text-sharing services, a tactic seen in earlier Laundry Bear operations.
  • Researchers believe browsers are abused because they already have legitimate access to cameras, microphones and screen-capture APIs and are less likely to be flagged by security tools.
  • Lab52 assesses DrillApp as early-stage — two malware variants were observed, differing mainly in the social-engineering lures used.
  • Laundry Bear has targeted Ukrainian sectors since at least 2024; similarities exist with APT28 tactics, though analysts treat them as distinct actors.

Content Summary

Researchers at Lab52 observed the operation and described DrillApp as a capability-focused backdoor aimed at espionage. The malicious document executes through Microsoft Edge, leveraging browser permissions to harvest files and media directly from infected machines. CERT-UA had earlier reported a related campaign targeting Ukraine’s armed forces, showing the group reuses successful techniques such as charity lures and public hosting for payloads.

Lab52 notes the malware appears under active development, suggesting experimentation with browser-based delivery and social-engineering themes tied to high-interest topics like Starlink. Microsoft has previously documented Laundry Bear compromises across multiple Ukrainian sectors including education, transportation and defence.

Context and Relevance

This story sits at the intersection of the Russia–Ukraine conflict and evolving cyber-espionage tradecraft. Using trusted themes — humanitarian aid and Starlink verification — lowers victim suspicion and leverages real-world events (Ukraine’s Starlink terminal checks after reported drone usage). The technique of running spyware via browsers reflects a wider trend where attackers exploit legitimate application privileges to sidestep conventional defences.

Organisations in Ukraine and partners working with Ukrainian charities, defence suppliers and critical infrastructure should assume such lures will continue and tighten document-handling, verification and browser hardening practices accordingly.

Author style

Punchy: this is classic nation-state espionage dressed in empathetic clothes. The spyware is straightforward but effective — the real risk is the social-engineering angle and browser abuse, not exotic code. Read the details if you defend systems or advise affected organisations.

Why should I read this

Look — if you work with Ukrainian charities, defence or critical services, this is exactly the kind of sneaky ploy that’ll get someone to open a file. It shows attackers are mixing current events (Starlink checks) with emotional hooks (aid groups) and abusing browsers to reach cameras and mics. Short version: useful heads-up for defenders and IT teams.

Source

Source: https://therecord.media/russia-ukraine-cyber-espionage-group