UAC-0184

UAC-0184 is a Russia-aligned threat actor, also tracked as Hive0156, UNC5435, and MB-0007. Reporting in the provided content links the group to cyber-espionage activity primarily targeting Ukraine, especially representatives of the Ukrainian Defense Forces, as well as Ukrainian military, government, and legislative entities including the Verkhovna Rada. CERT-UA reported increased UAC-0184 activity during 2024 aimed at gaining access to victims’ computers in order to steal documents and messenger data. The group relies heavily on social engineering and messenger-based delivery. The content states that UAC-0184 has used popular messengers, dating websites, and specifically Viber to deliver malicious ZIP archives and weaponized LNK files. Lures referenced in the content include criminal proceeding notices, combat videos, acquaintance or romance-themed outreach, military-themed documents, and official-looking parliamentary or defense-related files. Tradecraft described in the content includes LNK-based initial access, PowerShell downloader chains, use of bitsadmin and mshta.exe to retrieve and execute HTA payloads, reflective loading, DLL side-loading, DLL search order hijacking, scheduled-task persistence, and in-memory payload reconstruction. Multiple reports describe a staged chain in which LNK files invoke bitsadmin and mshta to fetch HTA files, which then download dctrprraclus.zip and unpack components under %APPDATA%\ApplicationData32. The chain uses legitimate software as sideloading covers, including Plane9 components, Microsoft-signed VSLauncher.exe, PassMark BurnInTest / PassMark Endpoint components, and a legitimate signed Bitdefender Endpoint Security deployer (bddeploy.exe). One analyzed chain used XOR decoding and LZNT1 decompression to recover the final payload bundle, and reporting notes multicast UDP and TCP communications on port 31339 associated with repurposed PassMark functionality. Malware and tooling directly associated with UAC-0184 in the provided content include HijackLoader / IDAT loaders such as SHADOWLADDER and GHOSTPULSE, Remcos RAT, XWorm, ViottoKeylogger, SIGTOP, and TUSC. CERT-UA reporting states that SIGTOP and TUSC were used to steal and exfiltrate data from compromised systems, including Signal messages and contact data. Other reporting in the content describes campaigns delivering Hijack Loader followed by Remcos RAT, including injection into legitimate processes such as Chime.exe, as well as environmental checks for installed security software. The content also describes a 2025 campaign in which UAC-0184 used Viber to target Ukrainian military and government entities with malicious ZIP archives containing LNK files disguised as official documents. Additional reporting links the actor to phishing against Ukraine’s parliament and to campaigns targeting Ukrainian Ministry of Defense personnel. Across the provided sources, the actor’s objective is consistently described as intelligence collection and theft of sensitive documents and messenger data from Ukrainian targets.