Hive0156 Hackers Attacking Government and Military Organizations to Deploy Remcos RAT

A sophisticated Russian-aligned threat actor known as Hive0156 has intensified its cyber espionage campaigns against Ukrainian government and military organizations, deploying the notorious Remcos Remote Access Trojan through carefully crafted social engineering attacks.

The group has demonstrated remarkable persistence in targeting Ukraine’s defense infrastructure throughout 2025, utilizing weaponized Microsoft LNK files and PowerShell scripts as primary attack vectors.

The threat actor’s operations represent a significant escalation in cyber warfare tactics, with attackers leveraging highly relevant-themed decoy documents to entice victims within Ukraine’s defense establishment.

These malicious campaigns exploit the ongoing conflict by incorporating themes such as battalion readiness checks, wartime casualties, and operational staff distribution to maximize the likelihood of successful infiltration.

IBM analysts identified that Hive0156’s Tools, Tactics, and Procedures strongly overlap with CERT-UA’s UAC-0184 actor, suggesting coordinated efforts within Russia’s cyber operations framework.

The group has evolved its targeting strategy from exclusively military personnel to a broader audience, incorporating themes related to petitions and official correspondence in recent campaigns.

Recent analysis reveals that Hive0156 has simplified its delivery mechanisms while maintaining operational effectiveness.

The attack chain begins with weaponized first-stage LNK or PowerShell files that establish communication with command-and-control infrastructure.

Upon successful connection, the malware retrieves both a decoy document and a compressed archive containing malicious components.

Sophisticated Multi-Stage Infection Mechanism

The group’s infection methodology demonstrates advanced technical sophistication through its deployment of HijackLoader, also known as IDAT Loader, which serves as the primary delivery mechanism for Remcos RAT.

The HijackLoader package contains five critical components working in concert to evade detection and establish persistent access.

The infection begins when victims execute PortRemo.exe, a legitimate signed executable that loads the malicious sqlite3.dll file.

This patched Dynamic Link Library contains code that initiates the HijackLoader sequence by calling the compromised sqlite3_result_text16() function.

The malware employs export table manipulation to hinder static analysis tools like IDA Pro from properly examining the file structure.

sqlite3_result_text16() → Malicious function call
↓
Decrypt first-stage shellcode
↓
Process PNG file containing HijackLoader modules
↓
Execute final Remcos payload

The encrypted PNG file, randomly named in each campaign, contains multiple HijackLoader modules including AVDATA for security software detection, ESAL for payload execution, and rshell for memory management.

These modules work collectively to inject the final Remcos payload into a remote process, establishing covert communication channels with the attackers’ command-and-control servers spanning multiple geographic locations.

Hive0156 operates campaign identifiers including hmu2005, gu2005, ra2005, and ra2005new, suggesting organized operational management.

The group maintains geofencing restrictions limiting infections to Ukrainian IP addresses while filtering connections based on expected user-agent strings, demonstrating precise targeting capabilities that maximize operational security while minimizing exposure to security researchers.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now