Russian-Aligned Hackers Target European Financial Institution in Covert Phishing Campaign
A social engineering attack signals expansion beyond Ukraine-focused operations.
Europe: Financial Sector in the Crosshairs
A Russia-aligned threat actor has targeted a European financial institution in a carefully crafted spear-phishing campaign. Researchers attribute the activity to UAC-0050, also known as the DaVinci Group. Security analysts at BlueVoyant track the cluster under the name “Mercenary Akula.”
Unlike previous campaigns that primarily focused on Ukrainian organizations, this operation targeted an entity involved in reconstruction and regional development efforts linked to Ukraine.
That shift suggests a broader strategic objective.
The Social Engineering Setup
The attackers spoofed a Ukrainian judicial domain to increase credibility. They sent a phishing email with legal-themed content to a senior legal and policy advisor responsible for procurement.
This role typically has insight into financial systems, vendor relationships, and institutional processes. Therefore, compromising such an individual could enable intelligence gathering or financial manipulation.
The email contained a link to an archive hosted on PixelDrain, a file-sharing platform often used to bypass traditional security filters.
A Multi-Layered Infection Chain
The attack did not rely on a simple malicious attachment. Instead, it used multiple stages to evade detection:
- A ZIP archive
- A password-protected RAR file
- A 7-Zip container
- An executable disguised as a PDF using a double extension (*.pdf.exe)
Once executed, the payload installed Remote Manipulator System (RMS), a legitimate Russian remote desktop tool.
This tactic reflects a “living-off-the-land” approach. Attackers leverage legitimate software to avoid triggering antivirus alerts.
Familiar Tactics, Expanded Targets
UAC-0050 has previously used tools like LiteManager and RemcosRAT in operations targeting Ukrainian financial personnel. Ukraine’s CERT has described the group as a mercenary cluster linked to Russian law enforcement interests.
However, this campaign indicates possible reconnaissance against Western European institutions that support Ukraine.
The objective may not be immediate disruption. Instead, the focus could be intelligence collection or strategic positioning.
A Broader Pattern of Russian Cyber Operations
This incident aligns with wider trends in Russian cyber activity.
According to recent assessments from CrowdStrike, Russia-nexus actors continue to prioritize intelligence collection across NATO member states.
Groups such as APT29—also known as Cozy Bear—have exploited trust relationships in phishing campaigns. They impersonate trusted NGO employees and legal professionals to gain unauthorized access to Microsoft accounts.
In many cases, attackers use compromised legitimate email accounts to strengthen the illusion of authenticity.
Why This Matters
This campaign demonstrates three key realities:
- Financial and reconstruction entities are high-value intelligence targets.
- Social engineering remains one of the most effective entry points.
- Geopolitical cyber operations increasingly extend beyond immediate conflict zones.
Organizations involved in funding, logistics, procurement, or policy advisory roles should treat spear-phishing as a strategic threat, not just an IT risk.
The battlefield may be physical in one region. However, the intelligence war is global.