Threat Advisories:
MuddyWater: Iran’s Adaptive Cyber Espionage Machine March 2026 Linux Patch Roundup From Disclosure to Exploitation Overnight of a CVE-2026-33017 Langflow Flaw CVE-2026-20131: Interlock Ransomware Exploits Critical Cisco Secure FMC Flaw Operation GhostMail: The Invisible Inbox Breach Vidar Stealer 2.0 Distributed via Fake Game Cheats on GitHub and Reddit Targeting the Lens: Iranian Cyber Operations Against IP Cameras in the Middle East Konni APT’s Covert RAT Deployment LeakNet Ransomware’s Low-Cost High-Scale Infection Strategy Phishing in the Fog of War: A Surge in State-Aligned Espionage Campaigns Google Rushes to Fix Actively Exploited Flaws VENON Trojan Targets 33 Brazilian Financial Platforms AI-Assisted Slopoly Backdoor Powers Interlock Ransomware Intrusion PhantomRaven: Multi-Wave npm Campaign Stealing CI/CD and Developer Credentials APT28 Deploys Modified Covenant to Spy on Ukrainian Government Microsoft’s March 2026 Patch Tuesday Fake Strike Reports, Real Malware: The LOTUSLITE Delivery Chain Microsoft Teams Social Engineering Delivers A0Backdoor Malware Void Manticore: Iran’s Evolving Cyber Warfare Model Cisco Warns of Actively Exploited Flaws in Catalyst SD-WAN Manager
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Mercenary Akula’s Court-Themed Campaign Hits European Finance

Amber | Attack Report
Download PDF

Mercenary Akula’s Court-Themed Campaign Hits European Finance

Summary

A Russia-aligned cyber threat group known as Mercenary Akula, also tracked as UAC-0050, DaVinci Group, and Fire Cells Group, conducted a highly targeted spear-phishing attack against a European financial institution involved in regional development and reconstruction initiatives supporting Ukraine. First observed on February 9, 2026, this Mercenary Akula campaign represents a strategic expansion of the threat actor’s operational scope beyond traditional Ukrainian targets to Western European financial services organizations.

The Mercenary Akula attack spoofed a Ukrainian judicial domain to deliver a spear-phishing email containing a link to a remote access payload hosted on PixelDrain file-sharing platform. The Mercenary Akula campaign employed a sophisticated multi-layered archive chain featuring nested compression formats (ZIP containing RAR containing password-protected 7-Zip) culminating in the deployment of Remote Manipulator System (RMS), a legitimate Russian remote administration tool developed by TektonIT.

By leveraging living-off-the-land remote administration tools, Mercenary Akula gained persistent and stealthy remote access to the victim’s Windows environment for likely intelligence gathering or financial theft operations. CERT-UA assesses UAC-0050 as a mercenary-aligned threat cluster with links to Russian law enforcement interests, conducting data collection, financial theft, and influence operations under the Fire Cells brand. This Mercenary Akula campaign specifically targeted a senior legal and policy advisor responsible for procurement with privileged visibility into internal financial processes.

Attack Details

Mercenary Akula Targeted Spear-Phishing Operation

On February 9, 2026, a highly targeted social engineering campaign was uncovered against a European financial institution involved in regional development and reconstruction initiatives supporting Ukraine. The operation has been attributed to Mercenary Akula, also tracked as UAC-0050, DaVinci Group, and Fire Cells Group. The Mercenary Akula attackers initiated the intrusion through a carefully crafted spear-phishing email referencing an alleged request from the Chernihiv Administrative Court.

The Mercenary Akula phishing message was sent from a spoofed Ukrainian judicial domain, specifically targeting a senior legal and policy advisor responsible for procurement—an individual with privileged visibility into internal financial processes and institutional decision-making. A related Mercenary Akula sample revealed another spoofed sender address impersonating a security company based in Suceava, Romania. The phishing email directed the recipient to download an archive hosted on PixelDrain, a public file-sharing platform that this Mercenary Akula threat actor frequently abuses to circumvent reputation-based detection mechanisms.

Multi-Layered Obfuscation and RMS Deployment

The downloaded archive was titled in Ukrainian to resemble an official electronic court request dated February 9, 2026, and was designed with a sophisticated multi-layered obfuscation chain to evade security controls. The initial ZIP archive contained a RAR file, which in turn held a password-protected 7-Zip archive. The final Mercenary Akula payload was an executable disguised as a PDF document using the common double-extension technique (*.pdf.exe).

Once executed, the Mercenary Akula malicious file launched an MSI installer deploying Remote Manipulator System (RMS), a legitimate remote administration tool developed by the Russian company TektonIT. Technical inspection of the MSI package revealed embedded Windows Installer properties referencing the RMS vendor domain rmansys[.]ru, confirming Mercenary Akula’s abuse of legitimate software. By leveraging living-off-the-land remote administration tools, the Mercenary Akula attackers gained persistent and stealthy remote access while reducing the likelihood of detection by traditional antivirus solutions.

Broader Coordinated Phishing Campaign

Indicator analysis from the same Mercenary Akula campaign timeframe shows that the judicial-themed lure was only one facet of a broader, coordinated phishing effort. The Mercenary Akula threat actor also distributed emails impersonating notifications related to M.E.Doc, a Ukrainian accounting software platform previously weaponized in regional cyber operations. This thematic pivot underscores Mercenary Akula’s familiarity with operational technologies commonly used by financial departments.

By targeting accountants and financial officers, the Mercenary Akula attackers align their tactics with the group’s established objective of rapid financial theft. This multi-pronged approach demonstrates Mercenary Akula’s sophisticated understanding of target environments and their ability to craft contextually relevant lures for different victim personas within financial institutions.

Mercenary Akula Operational Scope Expansion

This incident marks a significant shift in Mercenary Akula’s operational scope. Historically, the UAC-0050 group has focused primarily on Ukrainian organizations, particularly those in financial and accounting roles. However, the targeting of a European institution supporting Ukrainian reconstruction efforts suggests strategic expansion beyond domestic Ukrainian entities to Western European financial services organizations.

CERT-UA assesses UAC-0050 as a mercenary-aligned threat cluster with links to Russian law enforcement interests, conducting data collection, financial theft, and influence operations under the Fire Cells brand. The Mercenary Akula group consistently abuses commercially available remote administration tools such as RMS alongside remote access trojans. While their tooling remains relatively consistent, Mercenary Akula’s social engineering narratives continue to evolve, demonstrating adaptability in tailoring lures to new geographic and institutional targets across Western Europe.

Recommendations

Block Known Sender Domains Used in Lures

Add the spoofed sender domains chernigiv-rada[.]gov[.]ua and rpgsuceava[.]ro used by Mercenary Akula to email gateway blocklists. Implement SPF, DKIM, and DMARC validation to detect and quarantine spoofed emails impersonating government and institutional domains commonly exploited by Mercenary Akula campaigns.

Restrict PixelDrain and Public File-Sharing Services

Block or monitor access to PixelDrain and related file-sharing platforms (qaz[.]im, qaz[.]is, qaz[.]su, Bitbucket) at the web proxy or firewall level, particularly for users in finance, legal, and procurement roles who are primary Mercenary Akula targets.

Enforce Application Whitelisting for Remote Access Tools

Deploy application control policies to prevent unauthorized installation or execution of remote administration software including RMS (Remote Manipulator System), LiteManager, and Remote Utilities abused by Mercenary Akula. Alert on any MSI installer activity referencing rmansys[.]ru or TektonIT-associated binaries.

Harden Email Security Against Multi-Layered Archive Delivery

Configure email gateways and endpoint protection to scan nested archives (ZIP containing RAR containing 7-Zip) used by Mercenary Akula and flag or quarantine password-protected archives. Implement policies to block executable files with double extensions (e.g., .pdf.exe) at the email gateway and endpoint level.

Monitor for RMS and Related Remote Access Tool Indicators

Deploy detection rules for RMS-specific network signatures, process creation events associated with RMS binaries, and MSI installer activity. Monitor for outbound connections to known RMS command-and-control infrastructure associated with Mercenary Akula operations.

Indicators of Compromise (IoCs)

SHA256 Hashes: f5ab8640a0ae68f25dcd0a7461266a46322f01a790fec8dafe7ec32a535e5d8e, 98ba3d70d71d6264ec9cb442338c05fa368f6d0aa5e2c67a6e06356adcd6a028, 42de03e314c4c9fd69cb042833e8d25950b0a842c28e9b2e18f363c843a9d283, 8c675f69537341aac4857f6d6278109177829a47ee65cf90e073ecc274ba1527, d9e1a79bd2aef55b73b9d4cbc7983a77f918ea6fc344ab9c59e35bc8afaaff6f, b275f1c64aa21d0d455920f0e663ff222729b068e58e105e0952cebe6a99bf0f, 4f20691c7890e20af642763d030c608a96a84182e44c902aaa89d4f1394dac0a, 17248c87d1b895d23d1391caa2ea258bbcce8c6609490912b5efc226a4c1ac49, cd652cb4dcbc0c077bc4772fde6e7654be399517879201b820147abb58d2b9bd, a939d79a9908744169247b4ca65ab256290f52a3bded15f541eebb668dea48be, 9b61bb9374de332fd80909f30d102043befcd569d264715b0a4d5d5a8d0762d3, b7dd90ee36e52033ae2386edb9e2d8b1ce4559b1defaf87ee57c88b41bba7f66, 3d99abebdc72cd840ff42b3a5b4cf6e8e3a50616881097d0ceb058f87d2b3909, 9900e3bc74c9dc9886d8e5c4395700d0b1b1533f51ac763fa157a7307c333ab6, 761d4add56e0766e7e6314950d5cf4ebf759d43c75e74375c2a65f29040dd6fd, 0c2e71612aa0d9c56393d8eb18d6446ad709cb40e856fcde21754d6845407055, 28926919956c3e3f281f504c45dfe3419d4f37683806f76393f2a7c6d6e1abfa, f902b8a547c705d736ced5e6c6db5e9a34da09940d08be37303b34797afebdca, 690ee1907bfb425a791e255eabe7351903e8a9e92089a099997afa2a8070383b

Domains: pixeldrain[.]com, rmansys[.]ru

URL: hxxps[:]//rmansys[.]ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INSTALLDIR;ISFOUNDNEWERPRODUCTVERSION;ISX_SERIALNUM;SUPPORTDIR;USERNAME;integrate_firewall;IS_SQLSERVER_LIST;LAUNCHPROGRAM1;LAUNCHPROGRAM;INTEGRATE_FIREWALL1;PRINTER_INSTALL;REMOVE_SETTINGS;INTEGRATE_FIREWALL;SHOW_SETTINGS;MONITOR_DRIVERSecureCustomPropertiesALLUSERSCEBB978F0EDBD74FE9ACC7FF3E6B978FBEBB908FDEAB97CFCEBBB00FF97CE7DFC9FCB73F49ACDWUSLINKLaunchPROGRAMFILETOLAUNCHATEND{&Tahoma8}

MITRE ATT&CK TTPs

Reconnaissance: T1589.003 – Gather Victim Identity Information: Employee Names

Initial Access: T1566.002 – Phishing: Spearphishing Link

Execution: T1204.002 – User Execution: Malicious File

Persistence: T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Defense Evasion: T1036.007 – Masquerading: Double File Extension, T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File, T1218.011 – System Binary Proxy Execution: Rundll32, T1562.004 – Impair Defenses: Disable or Modify System Firewall, T1672 – Email Spoofing

Command and Control: T1219 – Remote Access Software, T1071.001 – Application Layer Protocol: Web Protocols, T1102 – Web Service

Collection: T1005 – Data from Local System, T1560.001 – Archive Collected Data: Archive via Utility

Impact: T1657 – Financial Theft

References

https://www.bluevoyant.com/blog/mercenary-akula-hits-financial-institution

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox