Cybersecurity researchers have identified a Russia‑aligned threat actor targeting a European financial organization in a social engineering operation likely aimed at intelligence collection or financial theft. The incident suggests that this group may be widening its focus beyond Ukraine to include institutions that support the country.
The attack, observed earlier this month, targeted an undisclosed organization involved in regional development and reconstruction. Analysts have attributed the activity to UAC‑0050 (also known as DaVinci Group), with BlueVoyant referring to this cluster as Mercenary Akula.
According to researchers Patrick McHale and Joshua Green, the attackers spoofed a Ukrainian judicial domain to send an email containing a link to a remote‑access payload. The message was directed at a senior legal and policy advisor whose position would provide valuable visibility into internal operations and financial frameworks.
The operation begins with a spear‑phishing email using legal‑themed language to entice recipients into downloading an archive file hosted on PixelDrain, a platform the group uses to evade reputation‑based security filtering. Inside the downloaded ZIP archive is a RAR file that contains a password‑protected 7‑Zip package, which in turn holds an executable disguised as a PDF using the common double‑extension technique (*.pdf.exe).
Executing the file initiates installation of the Remote Manipulator System (RMS) a legitimate Russian remote desktop tool capable of screen sharing, remote control, and file transfers. Researchers noted that using such legitimate utilities enables persistent and covert access while often avoiding traditional antivirus detection.
RMS usage aligns with previous behaviors attributed to UAC‑0050, which has historically deployed legitimate remote‑access tools such as LiteManager and malware including RemcosRAT in campaigns against Ukrainian organizations.
The Computer Emergency Response Team of Ukraine (CERT‑UA) describes UAC‑0050 as a mercenary organization with ties to Russian law enforcement. The group is involved in information gathering, financial theft, and influence operations conducted under the Fire Cells branding.
BlueVoyant states that while the actor’s prior targeting has primarily focused on Ukrainian entities especially financial personnel this latest activity suggests exploratory targeting of Ukraine‑supporting institutions in Western Europe.
The report coincides with new intelligence that Russian cyber operations against Ukraine’s energy sector are increasingly focused on collecting data to support missile targeting, rather than causing immediate disruption. CrowdStrike’s latest Global Threat Report likewise anticipates continued aggressive intelligence‑driven activity by Russia‑nexus groups against Ukraine and NATO nations.
This includes operations by APT29 (also known as Cozy Bear and Midnight Blizzard), which has been exploiting professional trust relationships to compromise U.S.‑based non‑governmental organizations and a U.S. legal entity. CrowdStrike notes that Cozy Bear successfully impersonated trusted contacts using compromised legitimate accounts and burner communication channels to gain unauthorized access to victims’ Microsoft accounts.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
