A significant increase in cyber threats targeting Ukrainian military and government organizations has been noted in 2025, primarily attributed to the Russia-aligned group known as UAC-0184, also referred to as Hive0156. This group has been utilizing the Viber messaging platform to distribute malicious ZIP files containing deceptive Windows shortcut files that mimic official Microsoft documents.
The 360 Threat Intelligence Center highlighted that these attacks are characterized by high-intensity intelligence gathering efforts. Initially documented by CERT-UA in January 2024, the group has evolved its tactics, also employing messaging services like Signal and Telegram to facilitate malware distribution.
The malicious process involves using PowerShell scripts to silently execute the Hijack Loader, which subsequently paves the way for Remcos RAT infections. This remote administration tool enables attackers to monitor activities, manage endpoints, and extract sensitive data, significantly enhancing their cyber espionage capabilities.
The loader is designed to avoid detection by security software, including popular brands such as Kaspersky and Avast, by employing sophisticated techniques like DLL side-loading and module stomping. In addition, it establishes persistence through scheduled tasks, further complicating mitigation efforts against such intrusions.