Russia-aligned hackers, known as UAC-0184 or Hive0156, are actively targeting Ukrainian military and government entities using the Viber messaging platform. Their recent strategy involves delivering malicious ZIP files that contain Windows shortcut files disguised as Microsoft Word and Excel documents. The goal is to trick individuals into opening these files, which then execute a malware loader called Hijack Loader in the background. Once activated, Hijack Loader fetches additional malicious components from a remote server using a PowerShell script. This multi-stage attack employs techniques like DLL side-loading to avoid detection by security software. The loader scans for installed security programs, including those from Kaspersky and BitDefender, to disable or evade them. It establishes persistence on the infected machine and ultimately deploys Remcos RAT, a remote administration tool that allows attackers to control the compromised system, execute commands, and exfiltrate data. The use of messaging apps like Viber for malware delivery marks a shift in tactics for these hackers, who have previously utilized platforms like Signal and Telegram. The 360 Threat Intelligence Center emphasizes that Remcos, marketed as legitimate software, is frequently exploited by cybercriminals for espionage and data theft. The capabilities of this tool enable attackers to manage the infected host with precision, posing a significant threat to Ukrainian security efforts.