UAC-0050 spear-phishing campaign targeting European financial institutions
Campaign
Summary
Hide ▲
Show ▼
The UAC-0050 spear-phishing operation targeted a European financial institution, raising concern that the actor is extending its reach beyond Ukraine into Western Europe. The attack spoofed a Ukrainian judicial domain, used PixelDrain-hosted archives, and ultimately installed Remote Manipulator System (RMS) for remote control. The targeting and payload chain suggest the group is pursuing intelligence gathering or financial theft against support-linked institutions.
Related Happenings
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
H score15
First: 29.05.2026 14:31
Last: 29.05.2026 14:31
Sources 1
About this happening:
A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor MetaAbout this happening: A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
H score33
First: 22.05.2026 19:20
Last: 22.05.2026 19:20
Sources 1
About this happening:
A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
CampaignAbout this happening: A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Webworm expanded European government and South Africa university espionage campaign
Campaign
H score24
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
H score53
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Timeline
-
24.02.2026 16:21 2 articles · 4mo ago
UAC-0050 spear-phishes a European financial institution
Initial DisclosureUAC-0050, also tracked as DaVinci Group and Mercenary Akula, was linked to a spear-phishing campaign against a European financial institution that spoofed a Ukrainian judicial domain, used a PixelDrain-hosted archive, and deployed Remote Manipulator System (RMS) through nested archives and a *.pdf.exe lure; the activity was assessed as likely aimed at intelligence gathering or financial theft and as a possible probe of Ukraine-supporting institutions in Western Europe.
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21