New Front in Cyberwar: Russia-Aligned Hackers Exploit Viber to Target Ukraine
In an escalating digital conflict, a sophisticated Russia-aligned threat actor, identified as UAC-0184 (also known as Hive0156), has significantly evolved its tactics, now leveraging the popular Viber messaging platform to launch targeted cyberattacks against Ukrainian military and government entities. This marks a critical shift in the group’s high-intensity intelligence gathering operations, which have persisted throughout 2025.
Evolution of a Persistent Threat
UAC-0184 is no stranger to the cyber battlefield. Initially documented by CERT-UA in early 2024, the group gained notoriety for its use of war-themed phishing emails to distribute Hijack Loader, a potent malware loader that paves the way for Remcos RAT infections. Their methodology has shown a clear trajectory of adaptation, previously utilizing other messaging applications like Signal and Telegram for malware delivery. The latest intelligence from the 360 Threat Intelligence Center reveals a further refinement of this strategy, underscoring the group’s relentless pursuit of Ukrainian intelligence.
The Viber Attack Chain: A Deceptive Delivery
The current attack vector is particularly insidious. Threat actors initiate the intrusion by distributing malicious ZIP archives via Viber. These archives contain multiple Windows shortcut (LNK) files, cunningly disguised as legitimate Microsoft Word and Excel documents. The objective is to trick unsuspecting recipients into opening them. Upon activation, these LNK files serve a dual purpose:
- They display a decoy document, lowering the victim’s suspicion.
- Simultaneously, they silently execute a PowerShell script in the background.
This script then fetches a second, hidden ZIP archive, “smoothieks.zip,” from a remote server. This archive is crucial for the next stage of the attack.
Hijack Loader: The Stealthy Infiltrator
The retrieved “smoothieks.zip” facilitates the reconstruction and deployment of Hijack Loader directly into memory. This multi-stage process employs advanced evasion techniques, including DLL side-loading and module stomping, specifically designed to bypass detection by conventional security tools. Once active, Hijack Loader meticulously scans the compromised environment for installed security software from vendors like Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft, using CRC32 hash calculations to identify them.
Beyond its evasive maneuvers, Hijack Loader establishes persistence on the system through scheduled tasks and takes steps to subvert static signature detection. Its ultimate goal is to covertly execute Remcos RAT by injecting it into a legitimate process, “chime.exe.”
Remcos RAT: The Ultimate Control
Remcos RAT (Remote Control and Surveillance) is a powerful remote administration tool that, while marketed for legitimate system management, is frequently abused by malicious actors for cyber espionage and data theft. Once deployed, Remcos RAT grants the attackers extensive control over the compromised endpoint, enabling them to:
- Manage the victim’s system remotely.
- Execute additional payloads.
- Monitor user activities.
- Exfiltrate sensitive data.
As the 360 Threat Intelligence Center notes, “Through the graphical user interface (GUI) control panel provided by Remcos, attackers can perform batch automated management or precise manual interactive operations on the victim’s host.” This level of control underscores the severe threat posed by such an infection.
The Ongoing Cyber Front
The continuous evolution of UAC-0184’s tactics, particularly their adoption of widely used messaging platforms like Viber, highlights the persistent and adapting nature of cyber warfare targeting Ukraine. Organizations and individuals alike must remain vigilant and implement robust cybersecurity measures to counter these increasingly sophisticated threats.
For more details, visit our website.
Source: Link
