UAC- 0050 has been observed targeting a European financial institution as part of a social engineering campaign that spoofed a Ukrainian judicial domain to deliver a link to a remote access payload. The attack chain starts with a spear‑phishing email directing victims to download an archive file hosted on PixelDrain, with a ZIP containing a password‑protected 7‑Zip that includes an executable masquerading as a PDF document.
The execution results in the deployment of an MSI installer for Remote Manipulator System (RMS), a Russian remote desktop tool that enables remote control, desktop sharing and file transfers. The activity is attributed to a Russia-aligned threat actor group tracked as UAC-0050 (aka DaVinci Group); BlueVoyant has designated the name Mercenary Akula to the threat cluster, and the attack was observed earlier this month.
According to The Hacker News, CERT‑UA characterises UAC‑0050 as a mercenary group associated with Russian law enforcement agencies that conducts data gathering, financial theft and information operations, with potential probing of Ukraine‑supporting institutions in Western Europe. CrowdStrike’s findings are cited to suggest Russia‑nexus adversaries may continue such intelligence‑gathering operations targeting Ukrainian targets and NATO member states.