UAC-0050

UAC-0050 is a threat actor primarily targeting organizations and individuals in Ukraine. Multiple sources in the provided content describe it as a Russia-aligned or Russian-linked mercenary/cybercrime group; CERT-UA links it to Russian law-enforcement structures and states it has operated under the DaVinci Group and Fire Cells Group brands. BlueVoyant refers to the cluster as Mercenary Akula. CERT-UA states the group’s activity includes information theft/cyber-espionage, theft of funds, and information-psychological operations. The actor has repeatedly used phishing and social-engineering campaigns with Ukraine-themed lures, including spoofed messages from the Security Service of Ukraine, Ukrainian tax authorities, and legal/judicial themes. Reported delivery chains include encrypted or zipped PDFs containing URLs, compressed HTML attachments, password-protected archives, LNK/VBS/BAT-based chains, and links to remote payloads. Proofpoint states UAC-0050 frequently distributes encrypted PDFs with URLs leading to malware, and on 14 January 2025 observed zipped PDFs leading to installation of NetSupport using the license "XMLCTL." CERT-UA also linked the group to phishing campaigns distributing Remcos RAT and to campaigns using Remote Utilities software, later suggesting related activity tracked as UAC-0096 should be consolidated under UAC-0050. Tooling and payloads directly mentioned in the content include NetSupport RAT, Remcos RAT, Quasar RAT, Venom RAT, Remote Utilities, LiteManager, TEKTONITRMS, RMS (Remote Manipulator System), LummaStealer, MeduzaStealer, Xeno RAT, SectopRAT, MarsStealer, DarkTrackRAT, and suspected Lucky Volunteer. The actor has used legitimate remote administration/remote monitoring tools as well as commodity RATs and stealers to gain remote access, persistence, credential theft, and follow-on access. CERT-UA reported that during September-October 2024 the group used REMCOS and TEKTONITRMS to maintain unauthorized access to accountants’ computers and conducted at least 30 attempted thefts from Ukrainian companies and individual entrepreneurs by forging payments through remote banking systems. Targeting in the content is heavily Ukraine-focused, especially accountants, financial officers, government entities, and other Ukrainian organizations. BlueVoyant also reported a social-engineering attack attributed to UAC-0050 against an unnamed European financial institution involved in regional development and reconstruction initiatives, suggesting possible probing of Western European institutions supporting Ukraine. In that case, the actor used a legal-themed spear-phishing lure, spoofed a Ukrainian judicial domain, delivered a multi-stage archive chain via PixelDrain, and ultimately installed RMS. Tradecraft described in the content includes use of compromised email accounts, spoofed sender identities, remote access software, credential theft, forged banking payments, and information operations under the Fire Cells Group brand. CERT-UA states the group has conducted more than 15 campaigns in early 2024 and more than 15 cyberattacks during September-October 2024, and characterizes it as one of the most active threats against Ukraine.