Russia-Aligned UAC-0184 Targets Ukrainian Military via Viber Phishing Campaign
The Russia-linked advanced persistent threat group UAC-0184, also known as Hive0156, has intensified its espionage operations against Ukrainian military and government entities by leveraging the Viber messaging platform as an initial attack vector. The group distributed malicious ZIP archives disguised as official documents, which contained Windows shortcut (LNK) files masquerading as Microsoft Word, Excel, and other document types. When opened, these LNK files executed a multi-stage infection chain, including the deployment of the Hijack Loader malware, which facilitated further compromise through techniques such as DLL side-loading, module stomping, and in-memory execution to evade detection. The phishing lures exploited sensitive themes, such as military personnel record changes and compensation issues, to increase the likelihood of successful compromise.
The attack chain involved the use of PowerShell scripts to download additional payloads, with the malware designed to scan for and evade common security software. Persistence was established via scheduled tasks, and the campaign was observed to target high-value Ukrainian government bodies, including the Verkhovna Rada. Security researchers recommend strengthening security awareness, encryption, and access controls to mitigate the risk from such sophisticated phishing and malware delivery tactics. The campaign is expected to continue, with UAC-0184 evolving its methods and maintaining a focus on intelligence gathering against Ukrainian targets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly document UAC-0184's Viber-based espionage campaign
On 2026-01-05, multiple security outlets reported that UAC-0184 had been abusing Viber in 2025 to spy on Ukrainian military and government targets. The reporting tied the activity to the group's known toolchain and highlighted its shift from other messaging platforms such as Signal and Telegram.
Attack chain deploys Hijack Loader and Remcos RAT on victim systems
In the 2025 campaign, opening the ZIP files triggered a multi-stage infection chain using LNK files, PowerShell, and side-loading techniques to install Hijack Loader and then Remcos RAT. The malware provided remote access, persistence, security-tool reconnaissance, and data theft capabilities while using evasion methods such as in-memory execution and module stomping.
UAC-0184 conducts Viber spearphishing against Ukrainian entities in 2025
During 2025, the Russia-aligned threat actor UAC-0184, also known as Hive0156, targeted Ukrainian military and government organizations, including the Verkhovna Rada, by sending malicious ZIP archives through Viber. The messages used official-document and military-themed lures to trick recipients into opening weaponized files.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
UAC-0184 Exploits Viber for Spearphishing Ukrainian Military and Government with Remcos RAT and Hijack Loader
rescana.com
Open sourceRussia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government
thehackernews.com
Open sourceRussia-linked APT UAC-0184 uses Viber to spy on Ukrainian military in 2025
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
UAC-0247 Hits Ukrainian Government and Hospitals With AgingFly Espionage Malware
CERT-UA reported that threat cluster **UAC-0247** targeted Ukrainian local governments, municipal clinics, emergency hospitals, and in some cases Defense Forces personnel with a phishing campaign delivering the newly identified **`AGINGFLY`** malware. The attacks used humanitarian-aid themed emails, compromised or fake websites, malicious archives, and **`LNK`** files that triggered **`mshta.exe`** to launch **`HTA`** payloads, scheduled tasks, and shellcode injection into legitimate processes before deploying **`RAVENSHELL`**, **`SILENTLOOP`**, and the C# backdoor **`AGINGFLY`**. Separate lures sent through Signal masqueraded as FPV drone operator software updates and used DLL side-loading to install the same malware. The intrusions were aimed at espionage and data theft, with **`AGINGFLY`** enabling remote command execution, file exfiltration, screenshots, keylogging, and arbitrary code execution, while dynamically compiling command handlers received from command-and-control servers. CERT-UA said the operators also stole credentials from Chromium-based browsers with **`CHROMELEVATOR`**, extracted WhatsApp data with **`ZAPIXDESK`**, and used tools including **`RUSTSCAN`**, **`LIGOLO-NG`**, and **`CHISEL`** for reconnaissance, tunneling, and lateral movement; at least one incident also involved **`XMRIG`** delivered through a modified WireGuard binary, indicating cryptomining alongside espionage. The agency urged defenders to restrict execution of **`LNK`**, **`HTA`**, and **`JS`** files and limit abuse of **`mshta.exe`**, **`powershell.exe`**, and **`wscript.exe`**.
Jun 8, 2026
APT28 Exploitation of Microsoft Office Zero-Day CVE-2026-21509 Against Ukraine and EU Targets
Ukraine’s CERT-UA reported active exploitation of a Microsoft Office zero-day, **CVE-2026-21509** (a security feature bypass), attributed to Russia-linked **UAC-0001 / APT28 (Fancy Bear)** and used to target Ukrainian government bodies and organizations across the EU. Microsoft disclosed the flaw with a warning that it was already being exploited in the wild, and CERT-UA observed rapid weaponization: a lure document titled `Consultation_Topics_Ukraine(Final).doc` appeared shortly after disclosure and was themed around EU discussions on Ukraine, suggesting the exploit chain was prepared in advance. CERT-UA also described a parallel phishing campaign impersonating the Ukrhydrometeorological Center, sent to 60+ recipients largely in Ukrainian central executive bodies. The attack chain described includes opening a malicious DOC that triggers a **WebDAV** connection to attacker infrastructure, downloads a shortcut (`.lnk`) used to stage additional payloads, and deploys components including a DLL masquerading as a legitimate Windows component (e.g., `EhStoreShell.dll`) with shellcode hidden in a decoy file (e.g., `SplashScreen.png`), alongside persistence techniques such as **COM hijacking** (registry modification) and scheduled task creation.
Apr 29, 2026
Russian Phishing Campaign Targets Ukraine With BadPaw Loader and MeowMeow Backdoor
A **Russia-linked phishing campaign** has targeted Ukrainian entities using emails that lure recipients into downloading a ZIP archive, leading to installation of two newly identified malware families: the **BadPaw** loader and the **MeowMeow** backdoor. Reporting based on ClearSky’s analysis describes messages sent from addresses hosted on Ukrainian service **ukr[.]net**, with a redirect to a ZIP containing a Ukraine-themed border checkpoint/permit lure; opening the archive triggers execution that downloads **BadPaw**, which then establishes C2 and deploys **MeowMeow**. The malware chain is designed to complicate analysis and evade detection. ClearSky reported **BadPaw** as a **.NET-based loader** and noted use of the **.NET Reactor** packer/obfuscator, while **MeowMeow** provides backdoor functionality including file enumeration and data read/write/delete operations. Additional defensive measures include conditional execution (components remaining inert unless launched with specific parameters) and environment checks by MeowMeow to detect sandboxes or analysis tooling (e.g., *Wireshark*, *ProcMon*, *Fiddler*). Based on infrastructure and tradecraft indicators (including ukr[.]net-hosted sender addresses), researchers attributed the activity with **low confidence** to **APT28** (aka **Fancy Bear/Forest Blizzard/Blue Delta**).
Mar 21, 2026