{
	"id": "a7c172c8-5a5f-4b9d-b0c7-da927be64705",
	"created_at": "2026-04-06T00:16:06.784859Z",
	"updated_at": "2026-04-10T03:31:27.585556Z",
	"deleted_at": null,
	"sha1_hash": "a0a830328ec8297c2ce5970ffe7a9b750484f936",
	"title": "Mercenary Akula Hits Ukraine-Supporting Financial Institution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73176,
	"plain_text": "Mercenary Akula Hits Ukraine-Supporting Financial Institution\r\nBy Patrick McHale and Joshua Green\r\nArchived: 2026-04-05 14:58:26 UTC\r\nFebruary 24, 2026 | 6 min read\r\nWhat Happened? \r\nBlueVoyant’s Security Operations Center (BVSOC) recently identified and responded to a targeted social engineering attack\r\non a European financial institution involved in regional development and reconstruction initiatives. The attack exhibits\r\nhallmarks of activity attributed to the Russia-aligned Mercenary Akula (tracked by CERT UA as UAC-0050), a financially\r\nmotivated mercenary entity also linked to cyber espionage and psychological operations. The attack spoofed a Ukrainian\r\njudicial domain to deliver an email containing a link to a remote access payload. The target was a senior legal and policy\r\nadvisor involved in procurement, a role with privileged insight into institutional operations and financial mechanisms. This\r\ntargeting highlights the adversary’s likely intent to conduct intelligence gathering or financial theft. Notably, this activity\r\nsuggests the adversary may be expanding beyond the primarily Ukraine-based targeting cited in previous OSINT reporting. \r\nOn February 9, 2026, BVSOC observed a spearphishing email sent to the targeted user. The email, with the subject “Request\r\nfrom the Chernihiv Administrative Court for Case #81435126,” originated from 4ml@chernigiv-rada[.]gov[.]ua. The email\r\ndirected the recipient to download an archive file hosted on the public file-sharing service Pixeldrain, a tactic frequently\r\nused in Mercenary Akula campaigns to bypass reputation-based security controls. In a separate sample recovered from\r\nresearch (pictured below), the email appeared to come from florin[.]musteata[@]rpgsuceava[.]ro, another spoofed sender\r\ndomain appearing to originate from an employee with Real Protection Guard (RPG) Suceava, a security and protection\r\ncompany based in Suceava, Romania. \r\nFigure 1\r\nThe archive, named Електронний судовий запит №837744-8-2026 від 09.02.2026 — 865.zip, employed a layered\r\nobfuscation chain. The ZIP archive contained a nested RAR which contained a password-protected 7-Zip file, with the\r\npassword conveniently provided in an accompanying Код.txt (translated: Code.txt) file. Opening the .txt file reveals the text,\r\n“З метою інформаціоного захисту вставлено код доступ:: 5847395844”, which translates loosely as “Information\r\nprotected with the established access code: 5847395844”. This multi-stage extraction process is a known evasion technique\r\ndesigned to defeat automated scanning and condition the user into normalizing suspicious activity. \r\nFigure 2\r\nThe final payload was an executable file, Електронний судовий запит №837744-8-2026 від 09.02.2026.pdf.exe,\r\nmasquerading as a PDF document through a double-extension trick. Upon execution, it deployed an MSI installer for the\r\nRemote Manipulator System (RMS), a legitimate remote administration tool developed by the Russian company TektonIT.\r\nThis aligns with consistent reporting on Mercenary Akula, which frequently abuses commercially available remote access\r\nsoftware like RMS, LiteManager, and Remote Utilities as well as remote access tools/trojans Remcos, QuasarRAT and\r\nothers. The use of such “living-off-the-land” tools provides attackers with persistent, stealthy access while often evading\r\ntraditional antivirus detection. \r\nTechnical analysis of the executables and MSI packages identified an embedded string resembling Windows Installer\r\nproperties for Remote Manipulator System (RMS), presented as a pseudo-URL referencing the vendor domain rmansys[.]ru.\r\nThis is not a live web link but rather a list of parameters likely used to preconfigure an MSI-driven installation. The strings\r\ninclude options such as INSTALLDIR, INTEGRATE_FIREWALL, LAUNCHPROGRAM, SHOW_SETTINGS,\r\nMONITOR_DRIVER, and ISX_SERIALNUM, indicating an intent to install a legitimate remote administration tool with\r\npredefined settings and minimal user interaction.  \r\nhxxps[:]//rmansys[.]ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INSTALL\r\nWhile the TFC did not observe direct outbound connections to RMS infrastructure, the presence of serial identifiers and long\r\nhexadecimal tokens suggests the installer is prepared for remote connectivity. This configuration baked into the installer\r\nenables rapid deployment of a remote access capability and can facilitate persistence and firewall adjustments consistent\r\nwith “silent” or unattended installation behavior. \r\nAnalysis of related indicators from the same period reveals that this specific 'court request' lure is part of a campaign\r\nemploying multiple, tailored social engineering themes; a campaign likely ongoing for years. In this latest iteration, the\r\nthreat actor simultaneously utilizes lures impersonating Ukrainian judicial bodies and, more critically, notifications related to\r\n'M.E.Doc,' a Ukrainian accounting software package historically exploited as a major attack vector in the region. The use of\r\nM.E.Doc-themed lures indicates the adversary has specific knowledge of the operational software used by target\r\norganizations and is directly targeting financial and accounting personnel.  This approach aligns with Mercenary Akula's\r\nhttps://www.bluevoyant.com/blog/mercenary-akula-hits-financial-institution\r\nPage 1 of 3\n\nprimary objective of financial theft. CERT-UA has previouslywarned that accountants compromised via such lures can be\r\nused to initiate fraudulent bank transfers within hours of infection. This multi-pronged social engineering strategy\r\ndemonstrates a sophisticated and adaptable threat focused on gaining remote access to systems from which sensitive\r\nfinancial or legal information can be extracted or direct financial fraud can be executed. \r\nThis campaign is not an isolated event but a manifestation of Mercenary Akula’s mature, persistent, and highly adaptable\r\noperational model. Historical CERT-UA assessments describe the group as a mercenary entity associated with Russian law\r\nenforcement and operating with the speed and precision of access brokers. Complementary open-source analysis by\r\nBushidoToken further profiles Mercenary Akula under the ‘DaVinci Group/Agency DaVinci’ branding, noting ties to\r\nRussian law enforcement and an initial access broker-style role. In parallel, CERT-UA attributes the actor’s\r\npsychological/information operations to the ‘Fire Cells Group’ persona, which has conducted bomb‑threat campaigns\r\nagainst Ukrainian embassies and media—an assessment corroborated by Recorded Future's reporting.\r\nFigure 3\r\nThis attack reflects Mercenary Akula's well established and repetitive attack profile, while also offering a notable\r\ndevelopment. The group’s operations consistently converge on several defining characteristics, as documented across\r\nnumerous campaigns from 2023 through 2026. First, their targeting has been primarily focused on Ukraine-based entities,\r\nespecially accountants and financial officers. However, this incident suggests potential probing of Ukraine-supporting\r\ninstitutions in Western Europe. Their psychological operations had already exhibited global reach through bomb-threat\r\ncampaigns targeting Ukraine embassies and associated media. Second, their social engineering leverages a rotating portfolio\r\nof highly credible, localized lures, impersonating Ukrainian courts, the National Bank of Ukraine (NBU), the State Tax\r\nService, and business software like M.E.Doc to exploit institutional trust. Third, their technical execution relies on abusing\r\nlegitimate infrastructure and tools: they distribute multi-layered archives via public file-sharing services (Pixeldrain,\r\nqaz[.]im, qaz[.]is, qaz[.]su, Bitbucket, etc.) and deploy signed, commercial remote administration software as backdoors.\r\nFinally, their objectives are dual-purpose and rapid, blending financial theft—with funds sometimes stolen within an hour of\r\ninfection—with cyber espionage.\r\nConclusion\r\nThe attempted breach underscores Mercenary Akula (a.k.a. UAC-0050, DaVinci Group, Fire Cells Group), status as a\r\npersistent and capable threat to organizations operating in Ukraine. It also signals a potential expansion into Ukraine-supporting institutions outside the country. By mirroring the group's long-established tactics—localized social engineering,\r\nmulti-stage payload delivery, and the deployment of signed remote administration tools—this incident is a stark reminder of\r\ntheir operational consistency and focus on high-value financial and intelligence targets. \r\nFor potential targets, especially financial and development institutions, this analysis reinforces the necessity of a defense-in-depth strategy. This should include heightened user awareness of region-specific lures, improved email filtering for complex\r\narchives, strict application control policies to block unauthorized remote access software, and enhanced financial transaction\r\nauthentication that cannot be bypassed through endpoint compromise. Vigilance against this predictable yet effective threat\r\nprofile is a key component of regional cybersecurity posture.\r\nMITRE ATT\u0026CK Techniques\r\nT1566.002 (Spearphishing Link)\r\nT1560.001 (Archive via Utility)\r\nT1036.007 (Double File Extension)\r\nT1219 (Remote Access Tools)\r\nT1218.011 (Rundll32)\r\nT1071.001 (Web Protocols)\r\nT1204.002 (Malicious File)\r\nT1547.001 (Registry Run Keys/Startup Folder)\r\nT1562.004 (Disable or Modify System Firewall)\r\nT1027.013 (Encrypted/Encoded File)\r\nT1102 (Web Service)\r\nT1672 (Email Spoofing)\r\nIndicators\r\nf5ab8640a0ae68f25dcd0a7461266a46322f01a790fec8dafe7ec32a535e5d8e\r\nhttps://www.bluevoyant.com/blog/mercenary-akula-hits-financial-institution\r\nPage 2 of 3\n\n98ba3d70d71d6264ec9cb442338c05fa368f6d0aa5e2c67a6e06356adcd6a028\r\n42de03e314c4c9fd69cb042833e8d25950b0a842c28e9b2e18f363c843a9d283\r\n8c675f69537341aac4857f6d6278109177829a47ee65cf90e073ecc274ba1527\r\nd9e1a79bd2aef55b73b9d4cbc7983a77f918ea6fc344ab9c59e35bc8afaaff6f\r\nb275f1c64aa21d0d455920f0e663ff222729b068e58e105e0952cebe6a99bf0f\r\n4f20691c7890e20af642763d030c608a96a84182e44c902aaa89d4f1394dac0a\r\n17248c87d1b895d23d1391caa2ea258bbcce8c6609490912b5efc226a4c1ac49\r\ncd652cb4dcbc0c077bc4772fde6e7654be399517879201b820147abb58d2b9bd\r\na939d79a9908744169247b4ca65ab256290f52a3bded15f541eebb668dea48be\r\n9b61bb9374de332fd80909f30d102043befcd569d264715b0a4d5d5a8d0762d3\r\nb7dd90ee36e52033ae2386edb9e2d8b1ce4559b1defaf87ee57c88b41bba7f66\r\n3d99abebdc72cd840ff42b3a5b4cf6e8e3a50616881097d0ceb058f87d2b3909\r\n9900e3bc74c9dc9886d8e5c4395700d0b1b1533f51ac763fa157a7307c333ab6\r\n761d4add56e0766e7e6314950d5cf4ebf759d43c75e74375c2a65f29040dd6fd\r\n0c2e71612aa0d9c56393d8eb18d6446ad709cb40e856fcde21754d6845407055\r\n28926919956c3e3f281f504c45dfe3419d4f37683806f76393f2a7c6d6e1abfa\r\nf902b8a547c705d736ced5e6c6db5e9a34da09940d08be37303b34797afebdca\r\n690ee1907bfb425a791e255eabe7351903e8a9e92089a099997afa2a8070383b\r\npixeldrain[.]com\r\nrmansys[.]ru\r\nhxxps[:]//rmansys[.]ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INSTAL\r\nSource: https://www.bluevoyant.com/blog/mercenary-akula-hits-financial-institution\r\nhttps://www.bluevoyant.com/blog/mercenary-akula-hits-financial-institution\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bluevoyant.com/blog/mercenary-akula-hits-financial-institution"
	],
	"report_names": [
		"mercenary-akula-hits-financial-institution"
	],
	"threat_actors": [
		{
			"id": "a2e59183-d83f-47aa-adf9-97925d8e6452",
			"created_at": "2023-12-08T02:00:05.762162Z",
			"updated_at": "2026-04-10T02:00:03.496538Z",
			"deleted_at": null,
			"main_name": "UAC-0050",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0050",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434566,
	"ts_updated_at": 1775791887,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0a830328ec8297c2ce5970ffe7a9b750484f936.pdf",
		"text": "https://archive.orkl.eu/a0a830328ec8297c2ce5970ffe7a9b750484f936.txt",
		"img": "https://archive.orkl.eu/a0a830328ec8297c2ce5970ffe7a9b750484f936.jpg"
	}
}