UAC-0184 targets Ukrainian military and government entities via Viber-delivered malware
Campaign
Summary
Hide ▲
Show ▼
UAC-0184 has shifted to Viber-delivered malware to target Ukrainian military and government entities, extending an active 2025 espionage operation. The initial lure uses malicious ZIP archives with decoy LNK files disguised as Microsoft Word and Excel documents. The chain then pulls down smoothieks.zip, stages Hijack Loader in memory, and uses DLL side-loading and module stomping to reduce detection. It ends with Remcos RAT injected into chime.exe, giving the attackers remote control, monitoring, and data theft.
Related Happenings
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
REF8372 malicious Google Ads CastleStealer delivery campaign
Campaign
H score27
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
REF8372 malicious Google Ads CastleStealer delivery campaign
CampaignAbout this happening: The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
Vidar infostealer delivered through TikTok and Instagram Reels
Malware Activity
H score27
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...
Vidar infostealer delivered through TikTok and Instagram Reels
Malware ActivityAbout this happening: Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware Activity
H score69
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware ActivityAbout this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Timeline
-
05.01.2026 19:56 2 articles · 6mo ago
UAC-0184 Viber malware targeting Ukrainian entities
Initial Disclosure360 Threat Intelligence Center described UAC-0184, also tracked as Hive0156, as a Russia-aligned threat actor that targeted Ukrainian military and government entities in 2025 by abusing Viber to deliver malicious ZIP archives with decoy LNK files, fetching smoothieks.zip through PowerShell, deploying Hijack Loader with DLL side-loading and module stomping, and injecting Remcos RAT into chime.exe to gain endpoint control and steal data.
Show sources
- Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government — thehackernews.com — 05.01.2026 19:56
- Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government — thehackernews.com — 05.01.2026 19:56