Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government
Cybersecurity analysts have uncovered a sophisticated campaign by Russia-aligned threat actors who are systematically abusing the popular messaging app Viber to deliver malware and spy on Ukrainian military personnel, government officials, and associated support networks. This operation leverages trusted communication tools and is notable for its strategic focus on leveraging social engineering to bypass traditional security measures.
Messaging Platforms as the New Battlefield
Messaging applications have become central to both personal and professional communication around the world, with billions of messages sent daily. Viber, in particular, is widely used in Eastern Europe and Ukraine, averaging tens of millions of active users. Attackers have turned this ubiquity into an advantage by embedding malicious content within seemingly benign messages that appear to come from trusted sources.
Because Viber uses end-to-end encryption and is decentralized in its delivery model, malicious payloads sent via the platform often evade traditional email and network filtering used by institutions to block phishing and malware distribution.
Sophisticated Social Engineering Techniques
The campaign employs targeted social engineering, tailoring messages to individual recipients using contextual information. For example, Ukrainian military personnel have received messages that appear to originate from colleagues, command units, or official channels, often referencing mission briefings, schedule updates, or logistics requests.
In many cases, the message text includes specific unit names, plausible military jargon, and timely references to current operations, increasing the likelihood that the recipient will engage with the content. Within these messages are attachments or links hosting malware designed to compromise the device once opened.
Malicious Payload Delivery and Malware Behavior
When a target interacts with a malicious attachment or link, the malware is silently deployed to the device. Once installed, it may perform a variety of functions including extracting text messages, monitoring call logs, capturing media, and transmitting geolocation data back to the attacker’s servers. In some observed variants, attackers have also deployed tools capable of live audio recording and remote command execution.
Because Viber is installed on many users’ primary communication devices, this malware can access large volumes of sensitive data that would be difficult to obtain using other vectors. It also allows persistent access to conversations long after the initial compromise.
Targets and Operational Impact
The initial phases of the campaign appear concentrated on Ukrainian military personnel and government officials involved in defense, strategy, and infrastructure operations. In one cluster of observed attacks, more than 1,200 unique Viber accounts tied to defense sector work were infiltrated or probed with malicious messages.
Beyond direct surveillance, compromised devices have the potential to serve as beachheads for broader network intrusion, particularly where mobile devices are used to access secure internal systems or enterprise resources through remote access tools.
Challenges in Detection and Attribution
One of the key challenges in defending against this threat is the difficulty in distinguishing malicious traffic from normal encrypted messaging. Viber’s underlying protocols do not produce standard HTTP or SMTP traffic that security appliances typically inspect, meaning that defenders may not see the malware delivery at all until after execution has occurred.
Attribution to Russia-aligned actors stems from infrastructure links, malware signatures, and patterns of target selection consistent with previous campaigns aimed at Ukrainian institutions. These factors point to an operation that blends espionage and information gathering with long-term strategic intent rather than opportunistic criminal activity.
Statistics Highlight Persistent Threat Pressure
Cyber threat intelligence firms tracking the activity report that malicious Viber campaigns targeting Ukrainian entities have increased by more than 35 percent since the beginning of the year. In the last quarter alone, more than 4,000 distinct malicious messages were identified, with payloads ranging from credential harvesters to advanced surveillance tools.
This escalation coincides with broader regional tensions and suggests a calculated effort to exploit trusted communication channels as direct conflict dynamics evolve.
Mitigation and Defensive Strategies
Defending against such campaigns requires a combination of technical controls and user education. For organizations with sensitive operations, restricting the use of third-party messaging apps on devices used for official business can reduce exposure. Where use cannot be restricted, enhanced endpoint protection that monitors for abnormal application behavior is critical.
User training focused on recognizing unsolicited links, confirming sender identity through independent channels, and reporting suspicious activity can significantly reduce the risk of compromise. In addition, multi-factor authentication and device hardening practices provide additional layers of protection even when initial compromise occurs.
Broader Implications for Messaging Security
This campaign highlights a worrying trend where threat actors are weaponizing mainstream communication platforms to bypass perimeter defenses and directly target individuals. As messaging apps become more central to both personal and professional life, attackers increasingly view them as vectors that combine trust with convenience, making malicious content harder to detect and easier to distribute at scale.
For national security and defense organizations, the message is clear: communication convenience must be balanced with rigorous security practices to safeguard critical information and prevent covert surveillance.
While specific malware variants and targeting tactics will continue to evolve, the core strategy reflected in this campaign reinforces the need for comprehensive, multi-layered defenses that anticipate the misuse of tools normally considered benign.
