A cyber threat group aligned with Russia, identified as UAC-0184, has been observed targeting Ukrainian military and government organizations. The group utilizes the Viber messaging platform to deliver malicious ZIP archives in these attacks.
According to a technical report from the 360 Threat Intelligence Center, this group consistently engaged in extensive intelligence gathering operations against Ukrainian military and government sectors throughout 2025.
The hacking group, also known as Hive0156, has a history of using war-themed deceptive tactics in phishing emails. These campaigns aim to deliver Hijack Loader to Ukrainian targets, which then facilitates Remcos RAT infections.
CERT-UA first documented this threat actor in January 2024. Later attack campaigns showed the group utilizing messaging applications such as Signal and Telegram to deliver malware. Recent discoveries by the Chinese security vendor indicate a continued evolution in these delivery methods.
The current attack methodology begins with Viber, used as the initial entry point to distribute malicious ZIP archives. These archives contain several Windows shortcut (LNK) files, which are disguised as legitimate Microsoft Word and Excel documents to deceive recipients into opening them.
These LNK files are engineered to display a decoy document to the victim, reducing suspicion, while simultaneously executing Hijack Loader in the background. This is achieved by retrieving a second ZIP archive, named “smoothieks.zip,” from a remote server via a PowerShell script.
Hijack Loader is reconstructed and deployed in memory through a multi-stage process. This process incorporates techniques like DLL side-loading and module stomping to bypass detection by security software. The loader also scans the system for installed security products, including those from Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft, by computing the CRC32 hash of their respective programs.
In addition to establishing persistence through scheduled tasks, the loader attempts to circumvent static signature detection. It then covertly executes Remcos RAT by injecting it into “chime.exe.” This remote administration tool provides attackers with capabilities to manage the compromised endpoint, deploy further payloads, monitor user activities, and exfiltrate data.
The 360 Threat Intelligence Center noted that while Remcos RAT is marketed as legitimate system management software, its potent intrusive features lead to its frequent use by malicious actors for cyber espionage and data theft. The tool’s graphical user interface (GUI) control panel allows attackers to conduct both automated batch management and precise manual operations on a victim’s host.
