UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware
UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware
https://thehackernews.com/2026/02/uac-0050-targets-european-financial.html
Publish Date: 2026-02-24 09:21:00
Source Domain: thehackernews.com
A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actor’s targeting beyond Ukraine and into entities supporting the war-torn nation.
The activity, which targeted an unnamed entity involved in regional development and reconstruction initiatives, has been attributed to a cybercrime group tracked as UAC-0050 (aka DaVinci Group). BlueVoyant has designated the name Mercenary Akula to the threat cluster. The attack was observed earlier this month.
“The attack spoofed a Ukrainian judicial domain to deliver an email containing a link to a remote access payload,” researchers Patrick McHale and Joshua Green said in a report shared with The Hacker News. “The target was a senior legal and policy advisor involved in procurement, a role with privileged insight into institutional operations and financial mechanisms.”
The starting point is a spear-phishing email that uses legal themes to direct recipients to download an archive file hosted on PixelDrain, a file-sharing service used by the threat actor to bypass reputation-based security controls.
The ZIP is responsible for initiating a multi-layered infection chain. Present within the ZIP file is a RAR archive that contains a password-protected 7-Zip file, which includes an executable that masquerades as a PDF document by using the widely abused double extension trick (*.pdf.exe).
The execution results in the deployment of an MSI installer for Remote Manipulator System (RMS), a Russian remote desktop software that allows remote control, desktop sharing, and file transfers.
“The use of such ‘living-off-the-land’ tools provides attackers with persistent, stealthy access while often evading traditional antivirus detection,” the researchers noted.
The use of RMS aligns with prior…
