A Russia aligned cyber threat group has been linked to a targeted social engineering campaign against a European financial institution, marking a potential expansion beyond its usual Ukraine focused operations.
The activity has been attributed to UAC-0050, also known as DaVinci Group. Threat intelligence firm BlueVoyant tracks the cluster under the name Mercenary Akula. The attack reportedly targeted a senior legal and policy advisor involved in procurement and reconstruction initiatives.
Security analysts believe the objective may have included intelligence collection or financial theft, particularly given the victim’s access to sensitive operational and financial information.
Spoofed Ukrainian Judicial Domain Used in Phishing
The intrusion began with a spear phishing email that leveraged legal themes and impersonated a Ukrainian judicial domain. The message directed the recipient to download an archive hosted on PixelDrain, a file sharing service commonly abused to evade reputation based security filters.
Inside the downloaded ZIP file was a layered archive structure. It contained a RAR archive, which in turn held a password protected 7 Zip file. Within that file was an executable disguised as a PDF using a double extension technique, for example filename.pdf.exe.
This method is frequently used to trick users into launching malicious files while believing they are opening legitimate documents.
Deployment of RMS Remote Access Tool
Once executed, the file installed an MSI package for Remote Manipulator System, also known as RMS. RMS is legitimate Russian remote desktop software capable of remote control, file transfers, and screen sharing.
The use of legitimate administration tools reflects a living off the land strategy. By deploying genuine software rather than custom malware, attackers can reduce detection rates and maintain persistent access while blending into normal system activity.
The reliance on RMS aligns with previous UAC-0050 operations, where the group has deployed tools such as LiteManager and the remote access trojan RemcosRAT in campaigns targeting Ukrainian entities.
CERT-UA Links Group to Russian Interests
Ukraine’s national cyber authority, CERT-UA, has characterized UAC-0050 as a mercenary style group with ties to Russian law enforcement structures. The cluster has reportedly conducted financial theft, data collection, and influence operations under the Fire Cells branding.
Historically, the group’s victims have largely consisted of Ukrainian accountants and financial officers. However, the recent targeting of a Western European institution suggests reconnaissance or expansion toward organizations supporting Ukraine’s reconstruction and development efforts.
Broader Russian Cyber Activity and NGO Targeting
The incident comes amid broader disclosures about Russian cyber operations. According to CrowdStrike in its annual Global Threat Report, Russia linked adversaries are expected to continue aggressive intelligence gathering campaigns against Ukrainian entities and NATO member states.
One such actor, APT29, also known as Cozy Bear or Midnight Blizzard, has reportedly conducted spear phishing campaigns targeting United States based non governmental organizations and a legal entity. These campaigns aimed to compromise Microsoft accounts by impersonating trusted professional contacts.
CrowdStrike noted that attackers used compromised legitimate email accounts alongside burner communication channels to reinforce credibility and bypass suspicion. By carefully cultivating trust relationships, the adversary increased the success rate of unauthorized access attempts.
Strategic Implications
The UAC-0050 campaign highlights the continued evolution of Russia aligned cyber operations. The use of spoofed domains, multi layered archive delivery, and legitimate remote access tools demonstrates a blend of social engineering and operational stealth.
As targeting broadens beyond Ukraine into European institutions linked to reconstruction and financial oversight, organizations must enhance phishing awareness, restrict remote administration software usage, and monitor for suspicious MSI installations or archive based payload chains.
The campaign reinforces the ongoing intersection between geopolitical conflict and cyber intelligence activity, particularly in sectors connected to financial governance and post conflict recovery.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
