Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UAC-0184 targets Ukrainian military and government entities via Viber-delivered malware

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

UAC-0184 has shifted to Viber-delivered malware to target Ukrainian military and government entities, extending an active 2025 espionage operation. The initial lure uses malicious ZIP archives with decoy LNK files disguised as Microsoft Word and Excel documents. The chain then pulls down smoothieks.zip, stages Hijack Loader in memory, and uses DLL side-loading and module stomping to reduce detection. It ends with Remcos RAT injected into chime.exe, giving the attackers remote control, monitoring, and data theft.

Related Happenings

Open-OSS/privacy-filter Hugging Face infostealer activity

Malware Activity
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...

Open Happening

Vidar Stealer 2.0 fake game-cheat distribution

Malware Activity
First: 18.03.2026 13:15 Last: 18.03.2026 13:15 Sources 1

About this happening: The **Vidar Stealer 2.0** malware is being spread through **fake game-cheat repositories** and **Reddit lures**, putting players seeking cheats for major online games at risk of *...

Open Happening

SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment

Malware Activity
First: 05.03.2026 14:01 Last: 05.03.2026 14:01 Sources 1

About this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

Timeline

  1. 05.01.2026 19:56 2 articles · 4mo ago

    UAC-0184 Viber malware targeting Ukrainian entities

    Initial Disclosure

    360 Threat Intelligence Center described UAC-0184, also tracked as Hive0156, as a Russia-aligned threat actor that targeted Ukrainian military and government entities in 2025 by abusing Viber to deliver malicious ZIP archives with decoy LNK files, fetching smoothieks.zip through PowerShell, deploying Hijack Loader with DLL side-loading and module stomping, and injecting Remcos RAT into chime.exe to gain endpoint control and steal data.

    Show sources
    Open in new tab