Trusted Messages, Compromised Systems: UAC-0184’s Viber-Based Espionage Campaign

Aegiron 10 mins0

What actually happened

The attackers initiated contact with victims through Viber messages that appeared legitimate and contextually relevant. In several cases, the messages impersonated military or administrative contacts and referenced operational topics such as reports, unit coordination, or documentation updates. The language used was natural, aligned with military workflows, and designed to prompt quick action.

The messages included a file attachment, typically compressed, or a document-like file name that suggested official content. Once the recipient opened the attachment, malicious execution occurred locally on the system.

There is no indication that any Viber vulnerability was exploited. The platform itself was not compromised. The attack succeeded purely due to user interaction, making this a textbook example of targeted social engineering.

Initial infection vector

The initial access vector was manual execution of a malicious file delivered via Viber.

Observed file types included:

  • ZIP or RAR archives
  • Windows shortcut files (.LNK)
  • JavaScript files (.JS)
  • Executables disguised with document-style names or icons

In some cases, archives contained a shortcut file that executed an embedded command when opened. In others, a JavaScript file acted as the first-stage launcher. These files were visually crafted to appear harmless and consistent with official documentation.

No macros, exploits, or privilege escalation vulnerabilities were involved at this stage.

Stage one payload: Hijack Loader

Once the user opened the malicious file, Hijack Loader was executed. Hijack Loader served as a lightweight staging component whose sole purpose was to prepare the system and retrieve the final espionage payload.

Hijack Loader behavior included:

  • Execution under the current user context
  • Basic system profiling (username, hostname, OS version)
  • Establishing outbound communication to attacker-controlled infrastructure
  • Downloading and executing the second-stage payload
  • Simple string and configuration obfuscation to evade static detection

Hijack Loader did not perform overtly malicious actions on its own. Its design was intentionally minimal to reduce detection and forensic artifacts.

Persistence mechanisms

Persistence was achieved without administrative privileges. Observed and inferred methods included:

  • Registry Run or RunOnce keys under HKCU
  • Scheduled tasks masquerading as legitimate system or update tasks
  • Placement of executables in user-writable directories such as:
    • %APPDATA%
    • %LOCALAPPDATA%
    • %TEMP%

These techniques allowed the malware to survive reboots while remaining low-profile.

Stage two payload: Remcos RAT

After Hijack Loader completed its task, Remcos Remote Access Trojan was downloaded and executed. Remcos acted as the primary espionage tool and provided the attackers with full remote control of the infected system.

Capabilities observed or enabled in this campaign included:

  • Remote command execution
  • Keystroke logging
  • Screenshot capture
  • File enumeration and exfiltration
  • Uploading additional tools or files
  • Harvesting credentials from browsers and locally stored applications
  • System and network reconnaissance
  • Maintaining persistence and re-establishing access if interrupted

The Remcos configuration was customized for stealth rather than aggressive activity, consistent with intelligence collection operations.

Command-and-control communications

Remcos initiated outbound-only connections to command-and-control infrastructure controlled by the attackers. This design avoided inbound firewall restrictions and reduced visibility.

Key characteristics:

  • TCP-based communication
  • Non-standard destination ports
  • Encrypted traffic using Remcos’ native protocol
  • Periodic beaconing at consistent intervals
  • Use of rotating IP addresses or dynamic DNS

Traffic volumes were low and designed to blend into normal background activity.

Vulnerabilities and exploitation assessment

  • No CVEs were exploited
  • No privilege escalation vulnerabilities were observed
  • No zero-day or known exploits were involved

The entire infection chain relied on:

  • Trust in messaging platforms
  • Context-aware social engineering
  • User execution of malicious files

This significantly lowers the technical barrier for the attackers while maintaining high success against targeted individuals.

Data and impact assessment

The intent of the operation was espionage. Based on malware functionality and observed behavior, the following data was at risk:

  • Military documents stored locally
  • Operational notes and reports
  • Credentials cached in browsers or applications
  • Screenshots of internal systems or tools
  • System configuration and network information

There is no evidence of destructive actions, ransomware deployment, or sabotage. The activity aligns with long-term intelligence gathering.

Indicators of compromise (IOCs)

File system indicators

.LNK files masquerading as documents
.JS files executed from archive extraction paths
Unknown executables located in:
%APPDATA%
%LOCALAPPDATA%
%TEMP%

Registry indicators

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Process behavior

explorer.exe → cmd.exe
explorer.exe → wscript.exe
cmd.exe executing from user-writable directories

Network behavior

Outbound TCP connections to uncommon ports (>2000)
Low-volume encrypted beaconing
Connections initiated shortly after file execution

Detection – Splunk

Suspicious execution from user directories:

index=endpoint
(process_name=cmd.exe OR process_name=wscript.exe)
parent_process_name=explorer.exe
(command_line="*AppData*" OR command_line="*Temp*")

Persistence via registry:

index=endpoint
registry_path="*\\CurrentVersion\\Run*"
registry_value_data="*.exe"

Suspicious outbound traffic:

index=network
dest_port > 2000
bytes_out < 5000
bytes_in < 5000
| stats count by src_ip, dest_ip, dest_port

Detection – Microsoft Sentinel (KQL)

Suspicious script or shortcut execution:

DeviceProcessEvents
| where FileName in ("wscript.exe","cscript.exe","cmd.exe")
| where ProcessCommandLine has_any ("AppData","Temp",".js",".lnk")

Registry-based persistence:

DeviceRegistryEvents
| where RegistryKey contains "CurrentVersion\\Run"
| where RegistryValueData endswith ".exe"

Outbound C2-like traffic:

DeviceNetworkEvents
| where InitiatingProcessFileName !in ("chrome.exe","msedge.exe","firefox.exe")
| where RemotePort > 2000
| summarize count() by DeviceName, RemoteIP, RemotePort

Why this operation worked

The success of this campaign did not depend on advanced exploits. It worked because:

  • Viber is widely trusted and routinely used
  • Messages were tailored and relevant
  • Attachments looked legitimate
  • The malware chain was quiet and modular
  • The targets were carefully selected

This highlights a persistent risk where personal messaging tools overlap with operational environments.

Final takeaway

This activity represents a deliberate, low-noise espionage operation aligned with ongoing military intelligence objectives. The attackers demonstrated patience, operational awareness, and an understanding of their targets’ communication habits.

The most important takeaway is that secure platforms do not prevent compromise when trust is abused. As long as users can be convinced to open files, even well-defended environments remain vulnerable.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.