UAC-0050 Targets European Financial Institution with Spoofed Domain and RMS Malware

First reported

24.02.2026 16:21

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A Russia-aligned threat actor, UAC-0050 (aka DaVinci Group, Mercenary Akula), targeted a European financial institution involved in regional development and reconstruction initiatives. The attack involved a spear-phishing email spoofing a Ukrainian judicial domain to deliver a remote access payload. The campaign used a multi-layered infection chain to deploy Remote Manipulator System (RMS) malware, marking a potential expansion of the group's targeting beyond Ukraine. The attack highlights the group's use of legitimate remote access tools to maintain stealthy, persistent access while evading traditional antivirus detection. This incident suggests UAC-0050 may be probing institutions in Western Europe that support Ukraine. Additionally, Ukraine has reported increased Russian cyber attacks focused on intelligence gathering to guide missile strikes, rather than immediate disruption. CrowdStrike's Global Threat Report indicates that Russia-nexus adversaries, including APT29, will continue aggressive operations targeting Ukrainian entities and NATO member states.

Timeline

24.02.2026 16:21 1 articles · 6h ago

UAC-0050 Targets European Financial Institution with Spoofed Domain and RMS Malware
A Russia-aligned threat actor, UAC-0050, targeted a European financial institution involved in regional development and reconstruction initiatives. The attack involved a spear-phishing email spoofing a Ukrainian judicial domain to deliver a remote access payload. The campaign used a multi-layered infection chain to deploy Remote Manipulator System (RMS) malware, marking a potential expansion of the group's targeting beyond Ukraine. The attack highlights the group's use of legitimate remote access tools to maintain stealthy, persistent access while evading traditional antivirus detection. This incident suggests UAC-0050 may be probing institutions in Western Europe that support Ukraine.
Show sources

UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
Open in new tab

Information Snippets

UAC-0050 targeted a European financial institution involved in regional development and reconstruction initiatives.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
The attack used a spear-phishing email spoofing a Ukrainian judicial domain to deliver a remote access payload.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
The infection chain involved a ZIP file containing a RAR archive with a password-protected 7-Zip file, which included an executable masquerading as a PDF document.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
The executable deployed an MSI installer for Remote Manipulator System (RMS), a Russian remote desktop software.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
UAC-0050 is known for using legitimate remote access software like LiteManager and remote access trojans such as RemcosRAT.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
CERT-UA characterizes UAC-0050 as a mercenary group associated with Russian law enforcement agencies.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
This attack marks a potential expansion of UAC-0050's targeting beyond Ukraine to institutions in Western Europe.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
Ukraine reported increased Russian cyber attacks focused on intelligence gathering to guide missile strikes.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
CrowdStrike's Global Threat Report indicates continued aggressive operations by Russia-nexus adversaries targeting Ukrainian entities and NATO member states.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21
APT29 (Cozy Bear, Midnight Blizzard) has been targeting U.S.-based NGOs and legal entities to gain unauthorized access to Microsoft accounts.
First reported: 24.02.2026 16:21

1 source, 1 article
Show sources
- UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware — thehackernews.com — 24.02.2026 16:21