{"id":31,"date":"2026-02-25T23:44:23","date_gmt":"2026-02-25T23:44:23","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=31"},"modified":"2026-02-25T23:44:23","modified_gmt":"2026-02-25T23:44:23","slug":"uac-0050-targets-european-financial-institution-with-spoofed-domain-and-rms-malware","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=31","title":{"rendered":"UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Feb 24, 2026<\/span><\/span>Cyber Espionage \/ Malware<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence gathering or financial theft, signaling a possible expansion of the threat actor’s targeting beyond Ukraine and into entities supporting the war-torn nation<\/a>.<\/p>\n

The activity, which targeted an unnamed entity involved in regional development and reconstruction initiatives, has been attributed to a cybercrime group tracked as UAC-0050<\/strong> (aka DaVinci Group<\/a>). BlueVoyant has designated the name Mercenary Akula to the threat cluster. The attack was observed earlier this month.<\/p>\n

\u00abThe attack spoofed a Ukrainian judicial domain to deliver an email containing a link to a remote access payload,\u00bb researchers Patrick McHale and Joshua Green said<\/a> in a report shared with The Hacker News. \u00abThe target was a senior legal and policy advisor involved in procurement, a role with privileged insight into institutional operations and financial mechanisms.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The starting point is a spear-phishing email that uses legal themes to direct recipients to download an archive file hosted on PixelDrain, a file-sharing service used by the threat actor to bypass reputation-based security controls.<\/p>\n

The ZIP is responsible for initiating a multi-layered infection chain. Present within the ZIP file is a RAR archive that contains a password-protected 7-Zip file, which includes an executable that masquerades as a PDF document by using the widely abused double extension trick (*.pdf.exe).<\/p>\n

The execution results in the deployment of an MSI installer for Remote Manipulator System (RMS), a Russian remote desktop software that allows remote control, desktop sharing, and file transfers.<\/p>\n

\u00abThe use of such ‘living-off-the-land’ tools provides attackers with persistent, stealthy access while often evading traditional antivirus detection,\u00bb the researchers noted.<\/p>\n

The use of RMS aligns with prior UAC-0050 modus operandi, with the threat actor known to drop legitimate remote access software like LiteManager and remote access trojans such as RemcosRAT in attacks targeting Ukraine.<\/p>\n

The Computer Emergency Response Team of Ukraine (CERT-UA) has characterized<\/a> UAC-0050 as a mercenary group associated with Russian law enforcement agencies that conducts data gathering, financial theft, and information and psychological operations under the Fire Cells branding.<\/p>\n

\u00abThis attack reflects Mercenary Akula’s well-established and repetitive attack profile, while also offering a notable development,\u00bb BlueVoyant said. \u00abFirst, their targeting has been primarily focused on Ukraine-based entities, especially accountants and financial officers. However, this incident suggests potential probing of Ukraine-supporting institutions in Western Europe.\u00bb<\/p>\n

The disclosure comes as Ukraine revealed that Russian cyber attacks aimed at the country’s energy infrastructure are increasingly focused on collecting intelligence to guide missile strikes rather than immediately disrupting operations, The Record reported<\/a>.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Cybersecurity company CrowdStrike, in its annual Global Threat Report<\/a>, said it expects Russia-nexus adversaries to continue conducting aggressive operations with the goal of intelligence gathering from Ukrainian targets and NATO member states.<\/p>\n

This includes efforts undertaken by APT29 (aka Cozy Bear and Midnight Blizzard) to \u00absystematically\u00bb exploit trust, organizational credibility, and platform legitimacy as part of spear-phishing campaigns targeting U.S.-based non-governmental organizations (NGOs) and a U.S.-based legal entity to gain unauthorized access to the victims’ Microsoft accounts.<\/p>\n

\u00abCozy Bear successfully compromised or impersonated individuals with whom targeted users maintained trusting professional relationships,\u00bb CrowdStrike said. \u00abImpersonated individuals included employees from international NGO branches and pro-Ukraine organizations.\u00bb<\/p>\n

\u00abThe adversary heavily invested in substantiating these impersonations, using compromised individuals’ legitimate email accounts alongside burner communication channels to reinforce authenticity.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Feb 24, 2026Cyber Espionage \/ Malware A Russia-aligned threat actor has been observed targeting a European financial institution as part of a social engineering attack to likely facilitate intelligence…<\/p>\n","protected":false},"author":1,"featured_media":32,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[83,79,80,81,42,84,82,78,77],"class_list":["post-31","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-domain","tag-european","tag-financial","tag-institution","tag-malware","tag-rms","tag-spoofed","tag-targets","tag-uac0050"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/31","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=31"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/31\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/32"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}