Russia-aligned threat actor UAC-0050 has expanded operations beyond Ukraine, targeting a European financial institution involved in reconstruction efforts with a sophisticated multi-stage spear-phishing attack.
Campaign Overview
Security researchers at BlueVoyant have uncovered a targeted phishing campaign attributed to UAC-0050, also known as the DaVinci Group. The threat cluster, tracked by BlueVoyant as “Mercenary Akula,” has traditionally focused on Ukrainian organizations but has now shifted targeting toward Western European entities supporting Ukraine.
The campaign targeted a senior legal and policy advisor at a European financial institution involved in Ukrainian reconstruction and regional development. This role represents a high-value target with access to financial systems, vendor relationships, and institutional processes.
Attack Chain Analysis
The attackers employed a multi-layered infection chain designed to evade security controls:
- Initial Access: Spear-phishing email with legal-themed content, spoofing a Ukrainian judicial domain
- Delivery: Link to PixelDrain file-sharing platform to bypass email security filters
- Payload Structure: ZIP archive → password-protected RAR → 7-Zip container → executable disguised as PDF (*.pdf.exe)
- Final Payload: Remote Manipulator System (RMS), a legitimate Russian remote desktop tool
The use of RMS reflects a “living-off-the-land” approach, leveraging legitimate software to avoid triggering traditional antivirus detection.
Threat Actor Profile
UAC-0050 has been previously documented by Ukraine’s CERT as a mercenary cluster with ties to Russian law enforcement interests. Historical campaigns have utilized tools including:
- LiteManager remote administration tool
- RemcosRAT for persistent access
- Various credential harvesting techniques
This latest campaign indicates the group may be conducting strategic reconnaissance against Western European institutions that support Ukraine, potentially for intelligence collection or positioning for future operations.
Broader Russian Cyber Operations Context
This activity aligns with documented patterns of Russian cyber operations. According to CrowdStrike assessments, Russia-nexus actors continue to prioritize intelligence collection across NATO member states, with particular focus on:
- Financial institutions supporting Ukraine
- Procurement and logistics entities
- Policy advisory organizations
- Reconstruction coordination bodies
Defensive Recommendations
Organizations involved in Ukraine support operations should implement enhanced security measures:
- Implement strict email filtering for file-sharing links (PixelDrain, WeTransfer, etc.)
- Block or alert on nested archive file chains
- Monitor for legitimate remote administration tools in unexpected contexts
- Conduct targeted security awareness training for personnel in legal, procurement, and advisory roles
- Enable enhanced logging for Microsoft 365 and email gateway systems
Indicators of Compromise
Tactics, Techniques, and Procedures (TTPs):
- T1566.002 – Spearphishing Link
- T1036.007 – Double File Extension
- T1204.002 – Malicious File Execution
- T1219 – Remote Access Software (RMS)
Source: SecureReading | Research: BlueVoyant
