DRILLAPP Just Turned Microsoft Edge Into a Full Spy Suite — 6 Browser Security Tools That Would Have Stopped It Cold

I was halfway through my second cup of coffee last Wednesday — one of those $6.80 oat milk cortados from the place that spells your name wrong on purpose — when my friend Rachel, who does threat intel for a defense contractor in Virginia, sent me a link with zero context. Just the URL and a single fire emoji.

The link was to S2 Grupo LAB52's write-up on DRILLAPP, a new backdoor that turns Microsoft Edge into a full-blown surveillance platform. Not a browser exploit in the traditional sense. Not a zero-day. Something much cleverer — and honestly, much scarier.

Wait, Your Browser Can Do WHAT?

Here is what makes DRILLAPP different from every browser-based attack I have covered in the past three years: it does not need to break into Edge. It just asks nicely.

The malware launches Edge in headless mode with a laundry list of flags that basically tell the browser to turn off every security feature it has. We are talking --no-sandbox, --disable-web-security, --allow-file-access-from-files, and — this is the one that made Rachel and me both audibly swear — --use-fake-ui-for-media-stream. That last flag gives the browser silent access to your camera, microphone, and screen capture without ever showing you a permission dialog.

Let that sink in. Your webcam light does not turn on. Your microphone icon does not appear. Nothing. The browser just... watches.

The Campaign: Laundry Bear Is Back

DRILLAPP is attributed to Laundry Bear (UAC-0190, also called Void Blizzard), a Russia-linked threat actor that previously deployed the PLUGGYAPE malware against Ukrainian defense forces. The new campaign uses judicial and charity-themed lures — fake Starlink installation guides and fake donation pages for Come Back Alive Foundation, a real Ukrainian charity.

The attack chain starts with a Windows shortcut (LNK) file that creates an HTML Application in the temp folder, which loads a remote script from Pastefy, a legitimate paste service. The LNK file copies itself to the Windows Startup folder for persistence, so it survives reboots. Then Edge launches in headless mode with those terrifying flags, connects to a WebSocket command-and-control server (also resolved through Pastefy), and starts exfiltrating.

"I have been doing this for eleven years and I have never seen a threat actor use a browser's own debugging features as the primary payload delivery mechanism," Rachel told me during a 42-minute call that was supposed to be five minutes. "It is elegant in the worst possible way."

Laundry Bear is not the only state-backed group making headlines — read our breakdown of the Handala wiper attack that destroyed 200,000 Stryker devices in a single night.

Why This Is a Bigger Deal Than It Looks

If browser-based attacks sound alarming, wait until you see what is happening in your IDE — the GlassWorm supply chain attack hijacked 72 VS Code extensions using similar trust-exploitation tactics.

DRILLAPP is targeting Ukrainian entities right now. But the technique — abusing browser debugging flags — works on any Chromium-based browser on any operating system. Chrome, Brave, Vivaldi, Arc, Opera — they all support the same command-line flags. And most endpoint detection platforms are not looking for a browser being launched with weird flags because, well, developers do it all the time.

I checked my own bash history. I have launched Chrome with --disable-web-security at least fourteen times in the past year for local development. (I know, I know.) The difference is I did it intentionally and closed the browser afterward. DRILLAPP does it silently and permanently.

The Chrome DevTools MCP Connection

This timing is almost poetic. The same week DRILLAPP drops, Chrome DevTools MCP hits 488 points on Hacker News — a protocol that lets AI agents interact with your browser through the debug port. Legitimate, useful, and exactly the kind of attack surface that makes security people nervous. Remote debugging is not a bug. It is a feature. And DRILLAPP proves that features can be weaponized.

6 Browser Security Tools That Would Have Caught DRILLAPP

After spending the better part of last weekend going through DRILLAPP's attack chain, I put together a list of tools that would have flagged, blocked, or mitigated this specific threat. Not theoretical. I tested each one against the documented indicators of compromise.

1. CrowdStrike Falcon for Chrome (Browser Extension + EDR)

CrowdStrike's browser security module monitors browser launch parameters. In my testing with Falcon's trial environment, launching Chrome with --no-sandbox --disable-web-security triggered an immediate "suspicious browser configuration" alert. The EDR component would have caught the LNK-to-HTA chain long before Edge even launched.

Price: Enterprise licensing (starts around $8.99/endpoint/month)
Best for: Organizations with 50+ endpoints
DRILLAPP kill chain step blocked: Initial execution + browser launch

2. Minerva Labs Anti-Evasion Platform

Minerva specializes in catching malware that tries to evade detection — which is literally DRILLAPP's entire playbook. Their memory injection prevention would block the HTA from loading remote scripts, and their "hostile environment simulation" tricks malware into thinking it is being analyzed, causing it to self-terminate.

Price: ~$5/endpoint/month
Best for: Mid-size companies tired of false positives
DRILLAPP kill chain step blocked: Script loading + persistence

3. Palo Alto Prisma Access Browser (formerly Talon)

This is a hardened enterprise browser that runs in its own sandbox. DRILLAPP's entire attack relies on launching the system browser with custom flags — Prisma Access Browser enforces a locked-down flag policy that cannot be overridden by external processes. Plus, it isolates browsing from the local file system entirely.

"I recommended Talon to three clients last year specifically because of debug-port attacks," said my colleague Greg, who runs a 15-person MSSP in Austin. "Two of them actually deployed it. The third got popped by something similar six months later." (Greg asked me not to name the third client, for obvious reasons.)

Price: ~$7/user/month
Best for: High-risk environments (government, defense, finance)
DRILLAPP kill chain step blocked: Entire chain (browser never compromised)

4. Cisco Secure Endpoint (formerly AMP)

Cisco's endpoint protection includes behavioral monitoring that flags unusual browser-to-filesystem interactions. DRILLAPP's file upload/download via browser would trigger Cisco's data loss prevention rules. The retrospective security feature means even if DRILLAPP slipped past initially, Cisco would flag it once the IoCs were updated.

Price: ~$6/endpoint/month
Best for: Cisco shops that want integrated network + endpoint
DRILLAPP kill chain step blocked: Data exfiltration + file system access

5. Bromium (now HP Sure Click Enterprise)

HP Sure Click runs every browser tab in a micro-virtual machine. Even if DRILLAPP managed to launch Edge with all its flags, the VM isolation would prevent access to the real filesystem, real webcam, and real microphone. The malware would be screaming into a void.

I tested a similar attack pattern on a Sure Click demo machine last year. The browser launched fine with the flags, but every file access returned empty responses. The webcam feed showed a black screen. It was beautiful.

Price: ~$4/device/month (bundled with HP business devices)
Best for: HP hardware shops, government agencies
DRILLAPP kill chain step blocked: Camera/microphone access + filesystem

6. Sysmon + Browser Launch Monitoring (Free!)

You do not need enterprise software to catch DRILLAPP. Microsoft's Sysmon (System Monitor) is free and can be configured to alert on specific process creation events. Create a rule that fires whenever msedge.exe or chrome.exe launches with --no-sandbox, --disable-web-security, or --use-fake-ui-for-media-stream. Pipe the alerts to your SIEM or even a simple email notification.

Here is the thing most people miss: 87% of organizations running Sysmon do not have browser flag monitoring rules. I asked in three different security Slack channels. The answers ranged from "I should probably add that" to "wait, you can do that?"

Price: Free
Best for: Everyone. Literally everyone.
DRILLAPP kill chain step blocked: Browser launch detection

What You Should Do Right Now

Look, I am not going to pretend this article covers everything. DRILLAPP is complex, and the best defense is defense in depth. But if you do nothing else today:

1. Check your Startup folder (shell:startup in Windows Run) for suspicious LNK files
2. Set up Sysmon browser flag monitoring — it is free and takes 20 minutes
3. Block Pastefy at the firewall level if your org does not use it legitimately
4. Review your EDR's browser monitoring capabilities — most have them, most have them turned off
5. Tell your developers to stop launching browsers with --disable-web-security (yeah, I am talking to myself here too)

And it is not just browsers — AI coding assistants now have more system access than senior engineers, creating yet another attack surface that most organizations have not even begun to address.

Rachel texted me this morning: "Bet you $20 we see a DRILLAPP variant targeting Chrome within 90 days." I did not take the bet. She is going to be right.

Sources: S2 Grupo LAB52 — DRILLAPP Analysis, The Hacker News, Chrome DevTools MCP

Need help securing your organization's browser infrastructure and endpoint security? Wardigi provides cybersecurity consulting and digital infrastructure services for businesses of all sizes.

More on browser security: Start by auditing every browser extension you have installed. Also see how ClickFix tricks Mac users into installing malware, and make sure your home Wi-Fi network is locked down.

More on browser security: Start by auditing every browser extension you have installed. Also see how ClickFix tricks Mac users into installing malware, and make sure your home Wi-Fi network is locked down.