Full Report
Russia-linked threat actor UAC-0184 (aka Hive0156) is targeting Ukrainian military and government entities, using Viber messages to deliver malicious ZIP files as part of ongoing intelligence-gathering operations in 2025. “Recent monitoring data from the 360 Advanced Threat Research Institute shows that the UAC-0184 group launched a phishing attack campaign against the Verkhovna Rada (Ukrainian parliament), targeting sensitive issues…
Analysis Summary
# Threat Actor: UAC-0184
## Attribution & Identity
**Attribution:** Russia-linked
**Known Aliases:** Hive0156
**Known Associations:** None specified beyond being a Russia-linked actor.
## Activity Summary
UAC-0184 is actively conducting intelligence-gathering operations targeting Ukrainian entities throughout 2025. Recent activity includes a phishing campaign observed by the 360 Advanced Threat Research Institute specifically targeting the Verkhovna Rada (Ukrainian parliament). The lures focused on sensitive topics related to "alteration of Ukrainian military personnel files and the refusal to pay compensation for those killed in action." The group is expected to maintain intensive intelligence-theft operations through 2025.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Use of Viber messages to deliver payloads.
- **Payload Type:** Malicious ZIP files.
- **Infection Vector:** Phishing attack campaign.
- **Lure Strategy:** Social engineering based on highly sensitive and emotionally charged domestic issues (military personnel changes, compensation for fallen soldiers).
- **Objective:** Intelligence-gathering operations.
## Targeting
- **Sectors:** Military, Government
- **Geography:** Ukraine
- **Victims:** Ukrainian military entities; Verkhovna Rada (Ukrainian parliament).
## Tools & Infrastructure
- **Malware Families Used:** Malicious ZIP files (specific malware not named, but implied to be contained within the ZIP).
- **Infrastructure (C2, domains, IPs):** Not specified in the provided context. (Defanged URLs/IPs: N/A)
## Implications
UAC-0184 demonstrates sophisticated use of common, seemingly benign communication tools (Viber) to bypass traditional email filters. Their focus on politically and emotionally sensitive internal Ukrainian matters suggests a strategic intelligence objective aimed at exploiting societal rifts or gathering specific administrative data related to military readiness and morale. The continuous, intensive operations throughout 2025 indicate a sustained, high-priority espionage effort.
## Mitigations
- Strengthen security awareness training specifically around messaging applications like Viber.
- Implement controls to monitor and restrict the downloading and execution of files received via non-standard channels (e.g., non-corporate messaging apps).
- Enhance encryption and access controls for sensitive military and parliamentary systems.
- Monitor for lures related to personnel files and compensation disputes as indicators of compromise attempts.