Russian intelligence services are disguising spyware as satellite terminal testing software, researchers at Lab52 report. They uncovered a new cyber-espionage campaign targeting Ukrainian organizations, reports The Record.
The Russia-linked hacker group uses malicious lure documents that mimic official papers about Starlink satellite internet operations and requests from the charitable foundation “Come Back Alive,” which supports the Ukrainian Armed Forces.
In the February operation, attackers distributed a backdoor named DrillApp. This malware allows hackers to upload and download files from infected devices, secretly record audio via the microphone, and capture images from the victim’s webcam.
Cybersecurity experts attribute the campaign to the hacker group Laundry Bear, also known as Void Blizzard, active at least since 2024. The group has previously targeted Ukrainian government institutions and NATO member countries. Earlier, the Ukrainian computer emergency response team CERT-UA reported another operation by the same group targeting Ukrainian military personnel. Both campaigns used similar tactics, including exploiting charitable themes and hosting virus components on publicly accessible text services. The new campaign uniquely leverages Starlink terminal verification, relevant because Ukraine began verifying Starlink equipment in early February after confirming Russian forces used it on attack drones.
Technical analysis shows that opening the malicious file triggers the malware via Microsoft Edge, giving attackers access to the device’s file system and enabling screen recording. Hackers intentionally use browsers as the delivery channel since browsers have legitimate access to cameras and microphones, allowing the malware to evade detection tools that rarely flag normal browser activity as suspicious. Lab52 notes that DrillApp appears to be in early development, with hackers experimenting with ways to bypass security systems. Researchers identified two virus variants, differing mainly in the type of lure used to trick users.
Laundry Bear specializes in espionage using relatively simple but hard-to-detect methods. Microsoft previously reported successful attacks by this group on Ukrainian defense, transport, and education sectors. Analysts also note tactical similarities between Laundry Bear and the Russian military intelligence group APT28 (Fancy Bear). Despite these overlaps, experts consider them separate entities, highlighting the continuous adaptation and evolution of Russian cyber-espionage tools.
