What happened
Russia-aligned hackers are abusing messaging platform Viber to target Ukrainian military and government entities. The campaign, attributed to threat actor UAC-0184 (also tracked as Hive0156), delivers malicious ZIP archives containing Windows LNK shortcut files disguised as Microsoft Word or Excel documents. When opened, the files execute Hijack Loader, which uses PowerShell to retrieve additional payloads and ultimately deploy Remcos RAT via DLL side-loading and process injection. The malware enables remote system control, surveillance, and data exfiltration, continuing cyber espionage operations observed throughout 2025.
Who is affected
Ukrainian military units, government agencies, and individuals using Viber for communications are directly targeted.
Why CISOs should care
Consumer messaging platforms are increasingly abused as malware delivery channels, bypassing traditional email security controls.
3 practical actions
1. Harden endpoint detection: Deploy EDR capable of detecting loader-based and in-memory malware techniques.
2. Restrict messaging attachments: Limit or block file execution originating from consumer messaging apps.
3. Train high-risk users: Reinforce awareness training for personnel handling sensitive or government communications.