Hive0156 continues Remcos campaigns against Ukraine

As of early July 2025, IBM X-Force is monitoring active Hive0156 Remcos Remote Access Trojan (RAT) campaigns targeting victims in Ukraine. Hive0156 is a Russian-aligned threat actor seeking to compromise individuals within the Ukrainian government or military. The group’s Tools, Tactics and Procedures (TTPs) strongly overlap with CERT-UA’s UAC-0184 actor. Hive0156 delivers weaponized Microsoft LNK and PowerShell files, leading to the download and execution of Remcos RAT. X-Force observed key decoy documents featuring themes that suggest a focus on the Ukrainian military and evolving to a potential wider audience.

• Hive0156 continues to deliver Remcos RAT throughout Ukraine
• Decoy document themes are highly relevant to Ukraine’s military personnel
• Access to Ukrainian infrastructure remains a key priority for Russian-aligned actors

Hive0156 is a Russian-aligned threat actor primarily using commodity malware and decoy documents to orchestrate malicious cyber campaigns in Ukraine. Reported throughout 2024, Hive0156 targeted Ukrainian military signal chats and personnel by delivering malicious LNK files or PowerShell scripts, leading to Remcos infections. The group uses decoy document themes highly relevant to personnel concerned with the operational posture of the Ukrainian military.

Leading up to mid-2025, Hive0156’s widespread use of relevant military themes for decoy documents suggests a priority interest in targeting members of the Ukrainian military. Decoy documents in the campaigns are often corrupted or junk data files, but reveal themes selected by the group to entice victim engagement. Filenames are often found in transliterated forms of Russian or Ukrainian. Highlighted below are documents used by Hive0156 in their operations before Mid-2025.

The 33^rd Mechanized is a Brigade of the Ukrainian Ground Forces. In late 2024, the 33^rd participated in combat operations in Kurakhove and later the front lines of Heorhiivka and Vuhledar. The decoy is an unauthenticated functional Excel document with various metrics generally communicating the levels of various resources.

Nakaz_shchodo_perevyrky_gotovnosty_1mehbat_14.07.2024.docx may refer to an order of readiness and possibly relate to the 33^rd Mechanized Brigade. The filename refers to the readiness of the first mechanized battalion, an official battalion within the 33^rd.

In June 2024, CERT-UA reported UAC-0184 delivering malicious files featuring Ukraine's 3rd Separate Assault Brigade, which led to similar attack chains.

Machine translated, Rozrahunok_rozpodyl_operatyvnogo_skladu.doc refers to the distribution of the operational staff. Given consistent wartime themes, it is likely this refers to troop numbers.

Pozicii_protivnika_zapad_i_yugo_zapad.xlsx is translated from Russian, and is a functional Excel document. The file consists of coordinates mapping to the Zanjan Providence of Iran. Upon inspection of the coordinates, the locations appear to consist mostly of farmland near irrigation sources such as the Tikmeh Dash River.

As of mid-2025, X-Force is observing transliterated Ukrainian language decoy documents featuring themes related to “petitions”, “official cover letters” or “formal rejections”. This is a departure from the group's emphasis on military themes to a more general audience. Decoy documents observed after mid-2025 are generally corrupted or filled with junk data.

As of early July 2025, the group continues to deliver Remcos as their primary final payload and has simplified their delivery since 2024. Recent Hive0156 campaigns begin with a weaponized first-stage LNK or PowerShell file. Upon execution, the first stage attempts to contact the actor's command-and-control (C2) infrastructure to retrieve the decoy document and zip archive of malicious files. The communication to the C2 server is filtered by geographic region and an expected user-agent. Upon successful retrieval, the decoy document is presented to the user, but is often corrupted. In the background, an instance of Hijackloader (a.k.a. IDAT Loader) is executed and delivers Remcos RAT.

In recent campaigns, Hive0156 alternates its first-stage infections between malicious LNK or PowerShell files. The functionality of both types is equivalent. First stage execution is critical to the group's delivery of their loader malware, which is downloaded in a zip archive.  Both first-stage types execute a HijackLoader infection chain in the background while presenting the user with a decoy document.

One key difference between LNK and PowerShell-style campaigns is the delivery of the decoy document. In LNK-based campaigns, two separate C2 requests are initiated to download the decoy document and the HijackLoader ZIP archive. In PowerShell-based campaigns, one call to download the HijackLoader ZIP file is initiated and contains the decoy document. This distinction may help network defenders identify the type of first-stage infection encountered.

The execution of HijackLoader serves as the group's delivery mechanism for Remcos. Also known as IDAT Loader, HijackLoader references data files co-located within the first-stage zip to unravel the final payload – Remcos.

The threat actor packages HijackLoader within a ZIP file. HijackLoader ZIP files contain multiple components, all required to be present in order to continue the infection chain.

The following components are normally present within a HijackLoader ZIP file:

• A legitimate executable that is usually signed by a valid certificate. (In this case, PortRemo.exe)
• Legitimate DLL files are required to run the legitimate executable. (In this case, Tools.dll)
• A patched DLL file that contains code that loads further stages of HijackLoader. (In this case, sqlite3.dll)
• A PNG file that contains the encrypted modules and final payload for HijackLoader. The PNG file is usually randomly named. (In this case, Churtseechang.vky)
• A file containing encrypted shellcode, which is also randomly named. (In this case, Weertijeegdoob.jm)

In this example, files relating to HijackLoader were packaged in a ZIP file named premo.zip.  The legitimate executable PortRemo.exe is executed by the initial LNK file, which will load the malicious patched DLL sqlite3.dll.

The following image shows the import table for PortRemo.exe.  At some point during execution, one of these functions will be called and eventually lead to the malicious code within sqlite3.dll.

In this example, sqlite3_result_text16() is the malicious function. HijackLoader will utilize the export table in order to prevent IDA from properly analyzing the file.

The patched DLL will read and decrypt the first-stage shellcode for HijackLoader. The decrypted shellcode will decrypt the PNG file that contains HijackLoader components. HijackLoader utilizes various modules for enhanced functionality.

The following table lists known modules as well as their functionality:

Once all modules are completed, HijackLoader will inject its final payload into a remote process.

X-Force’s analysis of Hive0156’s Remcos configuration appears to be sparse on enabled functionality. However, this does not indicate a diminished threat. Hive0156's version of Remcos is primarily configured to establish communication with the group's C2 infrastructure and periodically wait for new commands. The group appears to operate multiple campaigns in parallel and maintains diligent use of Remcos’ campaign ID feature. Throughout 2025, X-Force observed hmu2005, gu2005, ra2005 and ra2005new campaign IDs associated with the group.

Remcos is a Remote Administration Tool developed by Breaking-Security.  Details about its features can be found here.

Upon execution, Remcos will load its configuration from a blob within its resources. Once complete, Remcos will parse its configuration, which determines what actions it will take during execution.

Remcos accepts the following configuration parameters:

Configuration flags are used to determine whether Remcos should enable certain features. Once Remcos parses its configuration, it will begin contacting the C2 servers. Remcos may accept additional commands from its C2 server, including the following:

As shown above, Remcos has a wide variety of capabilities, including remote administration, payload execution, surveillance, persistence and infostealing. Remcos may be used by legitimate system administrators; however, it is also heavily used by various malicious threat actors. The actions taken by Remcos on a system are primarily driven by communication with its C2 server. Remcos includes a GUI panel to allow attackers to easily manage multiple victims within a single interface. The GUI interface allows creating automated tasks as well as manually interacting with the Remcos implant on a victim system.

Hive0156 operates a network of C2 servers worldwide and most likely benefits from Russian hosting provider indifference toward the group's operations. X-Force discovered the group employs geofencing to at least Ukraine and requests header filtering as part of their staging operations. Hive0156 deploys Remcos with limited features enabled, but continuously updates its configuration from its C2. This may indicate a prioritization of dormant access and selectively enabling collection upon new initiatives. The maintenance of unobstructed connectivity between Remcos infections and the group's C2 infrastructure is paramount for continued victim access.

Hive0156 continues to operate malicious cyber operations against Ukraine. X-Force assesses that the group continues to target Ukrainian military personnel but is evolving its decoy documents to more general themes, suggesting a wider victim pool. Organizations and personnel in or with association to the Ukrainian military are at a heightened risk of Hive0156 victim targeting.

X-Force recommends the following actions for mitigating Hive0156 activity:

1. User training and awareness: Encourage users to be cautious when opening emails or messenger chats, especially those containing attachments, or clicking on links. Instruct them to verify the sender's identity and check the file extensions before opening any files.
2. Endpoint protection: Deploy updated endpoint protection software that can detect and block known malware strains, like Remcos, along with suspicious behaviors. Regularly update malware signatures and behavioral patterns.
3. Network segmentation: Segment your network to restrict lateral movement in case of a breach. This limits the potential damage of a successful infection.
4. Geo-blocking: Implement geo-blocking rules to prevent connections to known malicious C2 servers, particularly those linked to Hive0156.
5. Monitoring and analysis: Regularly monitor and analyze network traffic for any unusual activities or connections to known malicious IPs. Use solutions that provide behavioral analysis and anomaly detection.
6. Patch management: Ensure all systems and applications are up-to-date with the latest patches. Many exploits used by threat actors leverage known vulnerabilities that have been patched.
7. Incident response plan: Develop and regularly update an incident response plan. This ensures that if a breach occurs, you can respond quickly and effectively.
8. Use of security tools: Employ security tools that can detect and block malicious PowerShell scripts and LNK files, as these are common initial delivery mechanisms for Hive0156.