UAC-0050 spear-phishing campaign targeting European financial institutions
Campaign
Summary
Hide ▲
Show ▼
The UAC-0050 spear-phishing operation targeted a European financial institution, raising concern that the actor is extending its reach beyond Ukraine into Western Europe. The attack spoofed a Ukrainian judicial domain, used PixelDrain-hosted archives, and ultimately installed Remote Manipulator System (RMS) for remote control. The targeting and payload chain suggest the group is pursuing intelligence gathering or financial theft against support-linked institutions.
Related Happenings
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
First: 22.05.2026 19:20
Last: 22.05.2026 19:20
Sources 1
About this happening:
A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
CampaignAbout this happening: A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Tropic Trooper trojanized SumatraPDF remote-access campaign
Campaign
First: 24.04.2026 12:29
Last: 24.04.2026 12:29
Sources 1
About this happening:
**Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
Tropic Trooper trojanized SumatraPDF remote-access campaign
CampaignAbout this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
Mongolian governmental institution hit by network compromise
Incident
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
About this happening:
A **Mongolian governmental institution** was found to have **about 12 systems** infected by **GopherWhisper** backdoors, exposing a live government compromise and the potential fo...
Mongolian governmental institution hit by network compromise
IncidentAbout this happening: A **Mongolian governmental institution** was found to have **about 12 systems** infected by **GopherWhisper** backdoors, exposing a live government compromise and the potential fo...
Timeline
-
24.02.2026 16:21 2 articles · 3mo ago
UAC-0050 spear-phishes a European financial institution
Initial DisclosureUAC-0050, also tracked as DaVinci Group and Mercenary Akula, was linked to a spear-phishing campaign against a European financial institution that spoofed a Ukrainian judicial domain, used a PixelDrain-hosted archive, and deployed Remote Manipulator System (RMS) through nested archives and a *.pdf.exe lure; the activity was assessed as likely aimed at intelligence gathering or financial theft and as a possible probe of Ukraine-supporting institutions in Western Europe.
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21