Beyond Ukraine: Mercenary Akula Spearphishing Hits European Finance with Russian Remote Admin Tools

A newly detected spearphishing campaign indicates that a notorious Russia-aligned threat actor is expanding its hunting grounds. According to a recent report from BlueVoyant’s Security Operations Center (BVSOC), “BVSOC recently identified and responded to a targeted social engineering attack on a European financial institution involved in regional development and reconstruction initiatives”.

The attack bears the distinct fingerprints of Mercenary Akula—a financially motivated group tracked by CERT-UA as UAC-0050, and also known as the DaVinci Group or Fire Cells Group. Historically focused on targets within Ukraine, this latest incident signals a dangerous shift. The report notes that “this activity suggests the adversary may be expanding beyond the primarily Ukraine-based targeting cited in previous OSINT reporting”.

The campaign began on February 9, 2026, when BVSOC detected a highly tailored spearphishing email sent to a senior legal and policy advisor involved in procurement. This specific targeting implies the adversary’s objective was to gain privileged insight into the institution’s operations, likely for intelligence gathering or outright financial theft.

The threat actors utilized a spoofed Ukrainian judicial domain (4ml@chernigiv-rada[.]gov[.]ua) with a subject line claiming to be a “Request from the Chernihiv Administrative Court”. To bypass reputation-based security controls, the email directed the victim to download an archive hosted on Pixeldrain, a public file-sharing service.

The downloaded ZIP archive contained a nested RAR file, which in turn held a password-protected 7-Zip file. The attackers helpfully provided the password in an accompanying text file named “Код.txt”. As BlueVoyant points out, “This multi-stage extraction process is a known evasion technique designed to defeat automated scanning and condition the user into normalizing suspicious activity”.

Once the victim successfully navigated the archives, the final payload was deployed. The file was an executable masquerading as a PDF document using a double-extension trick (Електронний судовий запит №837744-8-2026 від 09.02.2026.pdf.exe).

Upon execution, the malware stealthily deployed an MSI installer for the Remote Manipulator System (RMS). RMS is a legitimate remote administration tool created by the Russian company TektonIT. By utilizing commercially available software, Mercenary Akula employs a “living-off-the-land” strategy that provides attackers with persistent, stealthy access while often evading traditional antivirus detection. The installer was preconfigured with deep system settings, designed to manipulate firewalls and execute silently in the background.

Organizations are urged to heighten user awareness of region-specific lures, tighten email filtering for complex archives, and implement strict application control policies to block unauthorized remote access tools from taking root.