{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiacmfsbioz5yrvkt3aaurdpduzhvjnuluu7arbx777raqxewv4hpu",
    "uri": "at://did:plc:npppinc2x6on5fmrcemn2p5o/app.bsky.feed.post/3mhfzks2jlyd2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreifnr7tnojeoutgxwj4ckhc36lomhoaiadv6vxxaoq3e6pqeg54kkq"
    },
    "mimeType": "image/jpeg",
    "size": 112913
  },
  "path": "/post/811503944722530305",
  "publishedAt": "2026-03-19T08:54:29.000Z",
  "site": "https://tumblr.sztupy.hu",
  "tags": [
    "DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage",
    "headless mode"
  ],
  "textContent": "DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage\n\nTwo different versions of the campaign have been identified, with the first iteration detected in early February. The attack makes use of a Windows shortcut (LNK) file to create an HTML Application (HTA) in the temporary folder, which then loads a remote remote script hosted on Pastefy, a legitimate paste service.\n\nTo establish persistence, the LNK files are copied to the Windows Startup folder so that they are automatically launched following a system reboot. The attack chain then displays a URL containing lures related to installing Starlink or a Ukrainian charity named Come Back Alive Foundation.\n\nThe HTML file is eventually executed via the Microsoft Edge browser in headless mode, which then loads the remote obfuscated script hosted on Pastefy.\n\nThe browser is executed with additional parameters like –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security, granting it access to the local file system, as well as camera, microphone, and screen capture without requiring any user interaction.",
  "title": "Two different versions of the campaign have been identified, with the first iteration detected in…"
}