• UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actor’s targeting beyond Ukraine and into entities supporting thewar-torn nation. • The activity, which targeted an unnamed entity involved in regional development and reconstruction initiatives, has been attributed to a cybercrime group tracked asUAC-0050(akaDaVinci Group). • BlueVoyant has designated the name Mercenary Akula to the threat cluster. • The attack was observed earlier this month. • “The attack spoofed a Ukrainian judicial domain to deliver an email containing a link to a remote access payload,” researchers Patrick McHale and Joshua Greensaidin a report shared with The Hacker News. • “The target was a senior legal and policy advisor involved in procurement, a role with privileged insight into institutional operations and financial mechanisms.” The starting point is a spear-phishing email that uses legal themes to direct recipients to download an archive file hosted on PixelDrain, a file-sharing service used by the threat actor to bypass reputation-based security controls.

Article Summaries:

  • A Russia‑aligned threat actor, identified as UAC‑0050 (DaVinci Group, also called Mercenary Akula by BlueVoyant), targeted a European financial institution involved in regional development and reconstruction. The attack used a spear‑phishing email that spoofed a Ukrainian judicial domain and linked to a ZIP archive hosted on PixelDrain. Inside the archive was a multi‑layered payload that deployed the Russian remote‑desktop tool Remote Manipulator System (RMS) via an MSI installer. The operation marks a shift from UAC‑0050’s usual focus on Ukrainian entities to probing Western European institutions that support Ukraine, indicating a broader intelligence‑gathering effort.

Sources: