Jan 05, 2026Ravie LakshmananCyber Espionage / Home windows Safety
The Russia-aligned risk actor referred to as UAC-0184 has been noticed focusing on Ukrainian navy and authorities entities by leveraging the Viber messaging platform to ship malicious ZIP archives.
“This group has continued to conduct high-intensity intelligence gathering actions towards Ukrainian navy and authorities departments in 2025,” the 360 Risk Intelligence Heart stated in a technical report.
Additionally tracked as Hive0156, the hacking group is primarily recognized for leveraging war-themed lures in phishing emails to ship Hijack Loader in assaults focusing on Ukrainian entities. The malware loader subsequently acts as a pathway for Remcos RAT infections.
The risk actor was first documented by CERT-UA in early January 2024. Subsequent assault campaigns have been discovered to leverage messaging apps like Sign and Telegram as a supply automobile for malware. The newest findings from the Chinese language safety distributors level to an additional evolution of this tactic.
The assault chain entails using Viber as an preliminary intrusion vector to distribute malicious ZIP archives containing a number of Home windows shortcut (LNK) recordsdata disguised as official Microsoft Phrase and Excel paperwork to trick recipients into opening them.
The LNK recordsdata are designed to function a decoy doc to the sufferer to decrease their suspicion, whereas silently executing Hijack Loader within the background by fetching a second ZIP archive (“smoothieks.zip”) from a distant server via a PowerShell script.
The assault reconstructs and deploys Hijack Loader in reminiscence by a multi-stage course of that employs methods like DLL side-loading and module stomping to evade detection by safety instruments. The loader then scans the setting for put in safety software program, resembling these associated to Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft, by calculating the CRC32 hash of the corresponding program.
Apart from establishing persistence via scheduled duties, the loader takes steps to subvert static signature detection earlier than covertly executing Remcos RAT by injecting it into “chime.exe.” The distant administration device grants the attackers the flexibility to handle the endpoint, execute payloads, monitor actions, and steal information.
“Though marketed as reliable system administration software program, its highly effective intrusive capabilities make it incessantly utilized by numerous malicious attackers for cyber espionage and information theft actions,” the 360 Risk Intelligence Heart stated. “Via the graphical person interface (GUI) management panel offered by Remcos, attackers can carry out batch automated administration or exact guide interactive operations on the sufferer’s host.”
