Mercenary Akula

Mercenary Akula is the BlueVoyant designation for a Russia-aligned threat cluster attributed to UAC-0050, also known as the DaVinci Group. BlueVoyant observed the cluster conducting a social-engineering campaign against an unnamed European financial institution involved in regional development and reconstruction initiatives. The target was a senior legal and policy advisor involved in procurement, indicating likely intelligence collection and/or financial theft objectives. In the observed operation, the actor used spear-phishing with legal-themed lures and spoofed a Ukrainian judicial domain. The phishing email directed the victim to a PixelDrain-hosted archive, which initiated a multi-stage infection chain: a ZIP containing a RAR archive, which contained a password-protected 7-Zip file, which in turn contained an executable masquerading as a PDF via a double extension (*.pdf.exe). Execution resulted in deployment of an MSI installer for Remote Manipulator System (RMS), a legitimate remote desktop tool. Use of RMS aligns with prior UAC-0050 tradecraft, and the group has also previously used legitimate remote access software such as LiteManager and malware including RemcosRAT in attacks targeting Ukraine. According to CERT-UA, UAC-0050 is a mercenary group associated with Russian law enforcement agencies and operates under the “Fire Cells” branding. CERT-UA has described the group as conducting data gathering, financial theft, and information and psychological operations. BlueVoyant stated that UAC-0050 historically focused primarily on Ukraine-based entities, especially accountants and financial officers, and assessed this incident as a potential expansion toward probing Western European institutions that support Ukraine. Known aliases and related names directly mentioned in the content include UAC-0050, DaVinci Group, and Fire Cells.