Hive0156 Hackers Targeting Government and Military Organizations to Deploy REMCOS RAT

IBM X-Force researchers have identified ongoing cyber campaigns by Hive0156, a Russian-aligned threat actor, systematically targeting Ukrainian government and military personnel with sophisticated malware attacks.

The group, which shows significant operational overlap with CERT-UA’s UAC-0184 actor, has been actively deploying the Remcos Remote Access Trojan (RAT) throughout Ukraine, maintaining persistent access to critical infrastructure and sensitive military communications.

Evolving Attack Strategies

Initially focused exclusively on Ukrainian military personnel, Hive0156’s targeting strategy has evolved significantly since mid-2025.

The threat actors previously utilized highly specific military-themed decoy documents, including fabricated reports about wartime losses from the 33rd Mechanized Brigade, battalion readiness assessments, and personnel distribution calculations.

These documents often contained authentic-seeming military terminology and unit references, such as “uzagalnena_informacia_spisan_vtrat_33_ombr_100103.xlsx” and “Nakaz_shchodo_perevyrky_gotovnosty_1mehbat_14.07.2024.docx,” designed to entice military personnel into opening malicious files.

However, recent intelligence indicates a strategic shift toward broader civilian targeting.

Since mid-2025, researchers observed decoy documents featuring themes related to “petitions,” “official cover letters,” and “formal rejections” in transliterated Ukrainian language, suggesting the group’s expansion beyond military targets to potentially include government officials, contractors, and civilian infrastructure personnel.

The attack methodology employs a sophisticated multi-stage infection chain beginning with weaponized Microsoft LNK files or PowerShell scripts.

Upon execution, these initial payloads contact command-and-control infrastructure to retrieve both decoy documents and malicious zip archives containing HijackLoader components.

The group implements geographic filtering and user-agent verification to ensure successful payload delivery while evading detection systems.

Technical Sophistication

Hive0156 demonstrates considerable technical sophistication through its use of HijackLoader, also known as IDAT Loader, as an intermediate payload delivery mechanism.

This loader requires multiple components including legitimate signed executables, patched DLL files, encrypted PNG files containing additional modules, and shellcode files with random naming conventions.

The complexity of this delivery system suggests significant resources and technical expertise behind the operation.

The ultimate payload, Remcos RAT, provides extensive remote access capabilities including keylogging, screen recording, audio surveillance, credential theft, and complete system control.

Analysis of captured Remcos configurations reveals the group operates multiple parallel campaigns using distinct campaign identifiers such as “hmu2005,” “gu2005,” “ra2005,” and “ra2005new,” indicating organized and systematic operations.

The threat actors maintain global command-and-control infrastructure, likely benefiting from Russian hosting providers’ tolerance for malicious activities.

Their operational security includes geofencing restrictions and continuous configuration updates delivered through C2 channels, suggesting prioritization of maintaining dormant access while selectively enabling surveillance capabilities based on operational requirements.

Security researchers recommend implementing comprehensive defense measures including enhanced user awareness training, updated endpoint protection capable of detecting Remcos variants, network segmentation to limit lateral movement, geographic blocking of suspicious

IP ranges, behavioral analysis monitoring, and robust incident response procedures. Organizations with connections to Ukrainian government or military operations face heightened risk and should prioritize these protective measures.

Indicators of Compromise

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!