Key Findings

• The Russia-aligned threat actor known as UAC-0184 (also tracked as Hive0156) has been targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver malicious ZIP archives.

• The attack campaign involves using Viber to distribute malicious ZIP files disguised as official Ukrainian parliamentary documents and military casualty data.

• The ZIP archives contain Windows shortcut (LNK) files posing as Microsoft Word and Excel documents, which launch a multi-stage infection process to deploy the HijackLoader malware and the Remcos RAT.

• The threat actor's tactics, techniques, and tools are consistent with UAC-0184's established modus operandi, including the use of war-themed lures, messaging app exploitation, and the HijackLoader-Remcos RAT payload.

• The campaign targets sensitive issues such as the alteration of Ukrainian military personnel files and the refusal to pay compensation for those killed in action, aligning with UAC-0184's focus on Ukrainian government and military intelligence.

Background

• UAC-0184, also tracked as Hive0156, is a Russia-aligned threat actor that has been documented by CERT-UA since early 2024.

• The group is primarily known for leveraging war-themed lures in phishing emails to deliver the Hijack Loader malware, which serves as a pathway for Remcos RAT infections targeting Ukrainian entities.

• The threat actor has a history of exploiting popular messaging apps like Signal, Telegram, and now Viber as a delivery vehicle for malware.

Attack Methodology

• The attack campaign involves the use of Viber as an initial intrusion vector to distribute malicious ZIP archives (A2393.zip) containing multiple Windows shortcut (LNK) files disguised as official Microsoft Word and Excel documents.

• The LNK files are designed to serve as a decoy document to the victim, while silently executing Hijack Loader in the background by fetching a second ZIP archive ("smoothieks.zip") from a remote server using a PowerShell script.

• The Hijack Loader employs techniques like DLL side-loading and module stomping to evade detection and reconstruct the final payload, which is the Remcos RAT.

• The Remcos RAT grants the attackers the ability to manage the endpoint, execute payloads, monitor activities, and steal data from the victim's system.

Indicators of Compromise (IoCs)

• Malicious ZIP archives: A2393.zip, smoothieks.zip

• Legitimate program used for side-loading: CFlux.exe

• Injected malware: HijackLoader, Remcos RAT

Conclusion

The Russia-aligned threat actor UAC-0184 has continued its high-intensity intelligence gathering activities against Ukrainian military and government entities in 2025, leveraging the Viber messaging platform to deliver malicious payloads. The group's use of war-themed lures, messaging app exploitation, and the HijackLoader-Remcos RAT toolchain are consistent with its established tactics, making it a persistent threat to Ukrainian organizations.

Sources

• https://thehackernews.com/2026/01/russia-aligned-hackers-abuse-viber-to.html

• https://securityaffairs.com/186571/apt/russia-linked-apt-uac-0184-uses-viber-to-spy-on-ukrainian-military-in-2025.html

• https://bvtech.org/russia-aligned-hackers-abuse-viber-to-target-ukrainian-military-and-government/

• https://www.cypro.se/2026/01/05/russia-aligned-hackers-abuse-viber-to-target-ukrainian-military-and-government/

• https://www.hendryadrian.com/russia-aligned-hackers-abuse-viber-to-target-ukrainian-military-and-government/

• https://www.socdefenders.ai/item/2edb29fc-407a-4c5b-ba7e-c4b38e8733d4