Date: 01/01/2026
Severity: High
Summary
UAC-0184, also known as Hive0156, is a Russia-aligned threat actor that conducts cyber operations against Ukraine using commercially available malware and lure documents. The group primarily targets Ukrainian military personnel by distributing weaponized LNK files or PowerShell scripts that result in Remcos malware infections. Their decoy documents are closely tailored to Ukrainian military operations, making them particularly convincing for individuals tracking the country’s military activities.
Indicators of Compromise (IOC) List
Domains\URLs : | http://5.101.85.24/k4s/tune.ps1 http://5.101.85.24/k4s/spear.ps1 http://5.101.85.24/smoothieks.zip |
IP Address : | 5.101.85.24 |
Hash : | 77da028b852acdcdcf4b46b23e79ac66
f7a93c7918a4d8837519eb6619c25b90
739dea9edc813c83cc488010cbdc10f6
1ce195f66d79587d583e4792ceb1c898
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://5.101.85.24/smoothieks.zip" or url like "http://5.101.85.24/smoothieks.zip" or siteurl like "http://5.101.85.24/smoothieks.zip" or domainname like "http://5.101.85.24/k4s/spear.ps1" or url like "http://5.101.85.24/k4s/spear.ps1" or siteurl like "http://5.101.85.24/k4s/spear.ps1" or domainname like "http://5.101.85.24/k4s/tune.ps1" or url like "http://5.101.85.24/k4s/tune.ps1" or siteurl like "http://5.101.85.24/k4s/tune.ps1" |
Detection Query 2 : | dstipaddress IN ("5.101.85.24") or srcipaddress IN ("5.101.85.24") |
Detection Query 3 : | md5hash IN ("f7a93c7918a4d8837519eb6619c25b90","739dea9edc813c83cc488010cbdc10f6","1ce195f66d79587d583e4792ceb1c898","77da028b852acdcdcf4b46b23e79ac66")
|
Reference:
https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507757&idx=1&sn=cf6b118e88395af45a000aae80811264&poc_token=HCo5Vmmj7xdXveHwJXIDjh7DjowIBruRQdqX_s31