Russia-Linked APT UAC-0184 Uses Viber to Spy on Ukrainian Military in 2025

The resurgence of UAC‑0184 highlights a strategic shift toward everyday communication tools as entry points for sophisticated espionage. Viber, a widely used messenger in Ukraine, offers a trusted delivery channel that bypasses many traditional email filters. By embedding malicious ZIP files within seemingly official parliamentary documents, the group exploits the urgency of military personnel record updates and compensation disputes, increasing the likelihood of user interaction. This approach mirrors earlier campaigns that abused Telegram and Signal, underscoring a pattern of leveraging popular platforms to infiltrate high‑value targets.

Technically, the infection chain is notable for its layered evasion tactics. The initial LNK shortcut or PowerShell script launches a downloader that retrieves a benign‑looking CFlux.exe, which then side‑loads a malicious DLL. Advanced techniques such as non‑standard control‑flow jumps into SQLite.Interop.dll, module stomping, and encrypted payloads concealed within PNG metadata allow the malware to slip past static analysis and endpoint detection. Once the HijackLoader component is assembled, it injects the Remcos RAT into the legitimate Chime.exe process, granting the adversary persistent remote control, data exfiltration, and command execution capabilities.

For Ukrainian defense and governmental bodies, the campaign signals an urgent need to harden messaging ecosystems. Recommendations include enforcing strict file‑type validation on Viber, deploying sandboxing for archive extraction, and implementing multi‑factor authentication for document access. Broader industry observers should note the growing convergence of social engineering, legitimate software abuse, and custom loader frameworks, which together raise the bar for detection and response. Strengthening threat‑intel sharing and continuous user awareness training will be essential to mitigate similar state‑aligned threats across the region.