Russia-Aligned Hackers Abuse Viber for Ukrainian Espionage
These articles are AI-generated summaries. Please check the original sources for full details.
Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government
The Russia-aligned threat actor UAC-0184 (also known as Hive0156) is actively exploiting the Viber messaging platform to deliver malware to Ukrainian military and government personnel. This campaign, observed in early 2026, utilizes malicious ZIP archives containing Windows shortcuts to deploy Hijack Loader and ultimately Remcos RAT.
Why This Matters
Current endpoint detection and response (EDR) systems often struggle with multi-stage, in-memory malware execution like that employed by UAC-0184, leading to successful compromises. Ideal security models assume timely patching and vigilant user behavior, but the reality is that sophisticated attackers can bypass these defenses, resulting in significant data breaches and espionage – the cost of which can reach millions in remediation and lost intellectual property.
Key Insights
- UAC-0184 first documented by CERT-UA: January 2024
- DLL Side-Loading: Hijack Loader uses this technique to evade detection by loading malicious code into legitimate processes.
- Remcos RAT: Frequently abused by attackers for its remote access and control capabilities, despite being marketed as legitimate system administration software.
Working Example
# This is a conceptual example of how PowerShell might be used to download a file.
# This is NOT the actual malicious code, but illustrates the technique.
import subprocess
def download_file(url, filename):
"""Downloads a file from a URL using PowerShell."""
command = f'powershell -Command "(New-Object System.Net.WebClient).DownloadFile(\'{url}\', \'{filename}\')" '
try:
subprocess.run(command, shell=True, check=True)
print(f"File downloaded successfully to {filename}")
except subprocess.CalledProcessError as e:
print(f"Error downloading file: {e}")
# Example usage (DO NOT USE WITH MALICIOUS URLS)
# download_file("http://example.com/file.zip", "file.zip")Practical Applications
- Government Agencies: Implement stricter controls over messaging app usage and enforce multi-factor authentication.
- Pitfall: Relying solely on signature-based detection; UAC-0184’s use of in-memory execution and evasion techniques bypasses these defenses.
References:
Continue reading
Next article
🍔 Scraping UberEats Restaurant Data with a High-Performance API (Menus, Prices, Ratings & More)
Related Content
Chinese State-Backed Hackers Target Southeast Asian Militaries with Custom Malware
Chinese threat actor CL-STA-1087 has targeted Southeast Asian military systems since 2020 using custom backdoors like AppleChris and MemFun for espionage.
Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics
Russian threat actors targeted Ukrainian organizations using stealthy Living-Off-the-Land (LotL) tactics, leveraging dual-use tools and minimal malware to evade detection. The attack involved web shells, PowerShell backdoors, and memory dumps, with implications for global cybersecurity strategies.
Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets
Iran’s APT42 launched the ‘SpearSpecter’ campaign in September 2025, targeting defense and government officials with the TAMECAT malware.