Russia-linked espionage campaign targeting Ukraine using Starlink and charity lures

A relatively new Russia-linked hacker group has launched a cyber-espionage campaign targeting Ukrainian organizations using spyware disguised within documents about Starlink satellite internet terminals and a well-known Ukrainian charity, researchers have found.

The campaign, observed in February, deployed a backdoor dubbed DrillApp that allows attackers to upload and download files from infected computers, record audio through a microphone and capture images from a webcam, according to a report by cybersecurity firm Lab52.

Researchers attributed the campaign to the Russian-linked hacker group Laundry Bear, also tracked as Void Blizzard, which has been active since at least 2024 and has previously targeted NATO member states and Ukrainian institutions.

Ukraine’s computer emergency response team, CERT-UA, previously reported a separate operation by the group targeting the country’s armed forces earlier this year. Researchers said the campaigns relied on similar techniques, including charity-themed lures and hosting malicious components on public text-sharing services.

In the latest operation, attackers used documents impersonating requests from Come Back Alive, a Ukrainian charity that supports the armed forces, as well as images related to the verification of Starlink satellite internet terminals. Ukraine introduced a verification system for Starlink terminals earlier in February after authorities confirmed that Russian forces had begun installing the technology on attack drones.

Once opened, the malicious file executes through the Microsoft Edge browser, allowing attackers to access the victim’s file system and capture audio from the microphone, video from the camera and recordings of the device’s screen.

Researchers say attackers may be using web browsers to deliver malware because browsers often have legitimate access to sensitive device features such as cameras, microphones, and screen recording, which can make malicious activity harder to detect. Browsers are also rarely flagged as suspicious by security tools.

Lab52 said the spyware appears to still be in an early stage of development, suggesting the attackers may be experimenting with new methods to evade defenses. Researchers identified two versions of the malware used in the campaign, which differed primarily in the lures used to trick victims.

Laundry Bear was previously described as using “relatively simple techniques that can be difficult to detect.” The group is primarily focused on cyber-espionage. Microsoft has previously reported that it has successfully compromised organizations across several sectors in Ukraine, including education, transportation, and defense.

Security researchers have also noted overlaps between Laundry Bear’s tactics and those used by the Russian military intelligence threat actor APT28, also known as Fancy Bear, though analysts generally consider them to be distinct actors.