A Russia-aligned threat actor tracked as UAC-0184 has been observed targeting Ukrainian military and government entities using the Viber messaging platform to distribute malware-laced ZIP archives. According to a new technical report from the 360 Threat Intelligence Center, the group has maintained “high-intensity intelligence gathering activities” against Ukrainian institutions throughout 2025.
Also known as Hive0156, the group has historically relied on war-themed phishing emails to deliver Hijack Loader, which ultimately deploys the Remcos remote access trojan (RAT). First documented by CERT-UA in January 2024, the actor has since expanded its delivery methods to include messaging apps such as Signal and Telegram. The latest campaign marks a further evolution, using Viber as the initial infection vector.
The attack chain begins with malicious ZIP files containing Windows shortcut (LNK) files disguised as Microsoft Word and Excel documents. When opened, the files display decoy documents while executing Hijack Loader in the background via a PowerShell script that retrieves additional payloads from a remote server.
The malware employs advanced evasion techniques, including DLL side-loading and module stomping, scans for installed security software, and establishes persistence through scheduled tasks. It ultimately injects Remcos RAT into a legitimate process.
