UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware
Source: The Hacker News
Overview
Ravie Lakshmanan
Feb 24, 2026 – Cyber Espionage / Malware
A Russia‑aligned threat actor has been observed targeting a European financial institution as part of a social‑engineering campaign likely aimed at intelligence gathering or financial theft. This signals a possible expansion of the actor’s focus beyond Ukraine to entities supporting the war‑torn nation.
The activity, which targeted an unnamed entity involved in regional development and reconstruction initiatives, has been attributed to a cyber‑crime group tracked as UAC‑0050 (aka DaVinci Group). BlueVoyant has designated the name Mercenary Akula to this threat cluster. The attack was observed earlier this month.
“The attack spoofed a Ukrainian judicial domain to deliver an email containing a link to a remote‑access payload,” researchers Patrick McHale and Joshua Green said in a report shared with The Hacker News. “The target was a senior legal and policy advisor involved in procurement, a role with privileged insight into institutional operations and financial mechanisms.”
— BlueVoyant report
Attack Flow
- Spear‑phishing email – Uses legal‑themed language and directs recipients to download an archive file hosted on PixelDrain, a file‑sharing service the actor uses to bypass reputation‑based security controls.
- Multi‑layered archive – The initial ZIP contains a RAR archive, which in turn holds a password‑protected 7‑Zip file. Inside is an executable masquerading as a PDF document via the double‑extension trick (
*.pdf.exe). - Payload delivery – Execution drops an MSI installer for Remote Manipulator System (RMS), a Russian remote‑desktop tool that enables remote control, desktop sharing, and file transfers.
“The use of such ‘living‑off‑the‑land’ tools provides attackers with persistent, stealthy access while often evading traditional antivirus detection,” the researchers noted.
The deployment of RMS aligns with prior UAC‑0050 modus operandi, as the group is known to drop legitimate remote‑access software (e.g., LiteManager) and remote‑access trojans such as RemcosRAT in attacks targeting Ukraine.
The Computer Emergency Response Team of Ukraine (CERT‑UA) has characterized UAC‑0050 as a mercenary group associated with Russian law‑enforcement agencies that conducts data gathering, financial theft, and information/psychological operations under the Fire Cells branding.
“This attack reflects Mercenary Akula’s well‑established and repetitive attack profile, while also offering a notable development,” BlueVoyant said. “First, their targeting has been primarily focused on Ukraine‑based entities, especially accountants and financial officers. However, this incident suggests potential probing of Ukraine‑supporting institutions in Western Europe.”
Wider Context
- CrowdStrike – In its annual Global Threat Report, the firm predicts that Russia‑nexus adversaries will continue aggressive operations aimed at intelligence gathering from Ukrainian targets and NATO member states.
- APT 29 (Cozy Bear / Midnight Blizzard) – Continues to “systematically” exploit trust, organizational credibility, and platform legitimacy in spear‑phishing campaigns targeting U.S. NGOs and a U.S. legal entity to gain unauthorized access to victims’ Microsoft accounts.
“Cozy Bear successfully compromised or impersonated individuals with whom targeted users …” (excerpt from the report)
“maintained trusting professional relationships,” CrowdStrike said. “Impersonated individuals included employees from international NGO branches and pro‑Ukraine organizations.”
“The adversary heavily invested in substantiating these impersonations, using compromised individuals’ legitimate email accounts alongside burner communication channels to reinforce authenticity.”
All links and images are retained from the original source.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.