Russian hackers are abusing Viber to spy on Ukraine
A Russia-related hacking group has discovered a new method for infiltrating Ukrainian government and military systems by exploiting a popular messaging app.
Security researchers say the threat actor, known as UAC-0184 and also tracked as Hive0156, has been actively abusing Viber to distribute malicious files as part of an ongoing cyber espionage campaign targeting Ukraine.
Created by Japanese tech conglomerate Rakuten, Viber is a major player in dedicated markets in the Commonwealth of Independent States (CIS), Central and Eastern Europe (CEE), the Middle East, and the Philippines. The app is estimated to have over 820 million active users.
Meanwhile, according to a technical report published by the 360 Threat Intelligence Center, UAC-0184 has maintained “high-intensity intelligence gathering activities” throughout 2025, continuing a pattern first documented shortly after Russia’s invasion into Ukraine.
CERT-UA first flagged UAC-0184 in January 2024, linking the group to phishing campaigns that used war-related themes to lure victims into opening infected attachments.
Earlier attacks relied heavily on email and messaging platforms, such as Signal and Telegram. The latest findings suggest the group has refined its approach, shifting toward Viber as an entry point.
Malware hidden behind everyday messages
In the newly observed attacks, victims receive messages on Viber containing ZIP archives that appear to hold routine work documents.
Inside those archives are multiple Windows shortcut (LNK) files, disguised as Microsoft Word or Excel files. When opened, they display a harmless decoy document to avoid raising suspicion.
Behind the scenes, however, the shortcut launches a PowerShell script that downloads a second archive named smoothieks.zip from a remote server.
The malicious archive contains the components needed to assemble and execute Hijack Loader, a malware loader commonly used in espionage operations.
Rather than dropping obvious files onto disk, the loader is reconstructed and executed entirely in memory, using techniques such as DLL side-loading and module stomping to evade detection until the final payload is deployed.
Built to evade security tools
Hijack Loader checks for installed security products, including software from Microsoft, Kaspersky, Avast, Bitdefender, AVG, Emsisoft, and Webroot.
It calculates CRC32 hashes associated with those programs. This allows the malware to adapt its behavior and reduce the risk of being flagged.
Persistence is established through scheduled tasks, and additional measures are taken to bypass static signature-based detection. Once the environment is deemed safe, the loader injects Remcos RAT into a legitimate Windows process, chime.exe.
Persistence is established through scheduled tasks, and additional measures are taken to bypass static signature-based detection. Once the environment is deemed safe, the loader injects Remcos RAT into a legitimate Windows process, chime.exe.
Signal app also weaponized by hackers
The newly flagged campaign highlights how everyday communication tools are increasingly being weaponized in cyber conflict.
This year, Russia-affiliated hackers already exploited another popular messaging app, Signal, to send phishing messages to Ukraine's Defense Forces and employees of the Ukrainian defense industry.
The messages contained a PDF and an executable file DArkTortilla, which decrypts and executes Dark Crystal RAT that allows attackers to monitor user activity, activate hardware microphones or cameras, access files, and steal sensitive data.
Russian hackers were also noticed exploiting Signal’s “linked devices” feature to conduct remote phishing and malware delivery operations.
The campaign's main objective is to eavesdrop on Ukrainian soldiers and other individuals who are of interest to Russian intelligence services.
Unlock more exclusive Cybernews content on YouTube.
