Originally reported by The Hacker News, SANS ISC
TL;DR
S2 Grupo researchers discovered a new DRILLAPP backdoor campaign targeting Ukrainian entities, attributed to Russian-linked Laundry Bear threat actors. Google is testing Android 17 security features to block malware abuse of accessibility services.
The DRILLAPP backdoor campaign represents active espionage operations targeting Ukrainian entities, likely by Russian state-linked actors. This constitutes an active threat campaign with geopolitical implications.
S2 Grupo's LAB52 threat intelligence team has identified a new espionage campaign targeting Ukrainian organizations, likely orchestrated by Russian-linked threat actors. The campaign, observed in February 2026, deploys a previously unknown backdoor dubbed DRILLAPP that exploits Microsoft Edge's debugging capabilities for stealth operations.
The researchers assess the campaign shares tactical overlaps with previous operations conducted by Laundry Bear (also tracked as UAC-0190 or Void Blizzard), a threat group known for targeting Ukrainian defense forces. The DRILLAPP backdoor's novel approach of abusing legitimate browser debugging features represents an evolution in stealth techniques employed against Ukrainian infrastructure.
This campaign continues the pattern of sustained cyber operations against Ukrainian entities, with threat actors adapting their tools and techniques to maintain persistence in contested digital terrain.
Google has incorporated new security controls in Android 17 Beta 2 designed to prevent malware abuse of the accessibility services API. The feature, part of Android Advanced Protection Mode (AAPM), blocks non-accessibility applications from accessing these powerful system-level privileges.
Android Authority first reported the change, which builds on AAPM functionality introduced in Android 16. When enabled, the protection mode enforces stricter validation of applications requesting accessibility service permissions, a common vector for malware seeking to capture user inputs or perform unauthorized actions.
The accessibility services API has been a persistent target for Android malware families, allowing malicious applications to overlay legitimate interfaces, capture sensitive data, and perform actions on behalf of users. This new restriction represents a significant hardening of Android's permission model for high-risk users.
The SANS Internet Storm Center published its regular Stormcast threat intelligence briefing for March 16th, 2026. The weekly digest provides security practitioners with current threat landscape analysis and emerging attack trends identified through the ISC's global sensor network.
These regular intelligence summaries serve as tactical briefings for network defenders, highlighting attack patterns and indicators observed across the ISC's distributed monitoring infrastructure.
Originally reported by The Hacker News, SANS ISC