BlueVoyant’s Security Operations Center (BVSOC) has spotted a targeted social engineering attack against a European financial institution engaged in regional development and reconstruction initiatives. The activity has been attributed to the Russia-aligned threat group known as Mercenary Akula, tracked by CERT-UA as UAC-0050.
Mercenary Akula is thought to be a financially motivated mercenary entity with links to cyber espionage and psychological operations. While previous open-source reporting has largely associated the group’s activity with Ukraine-based targets, this latest incident suggests the group expanding its scope of targets to European financial institutions.
The attack targeted a senior legal and policy advisor involved in procurement, an individual with privileged insight into institutional operations and financial mechanisms.
Researchers observed a spearphishing email spoofed to appear as though it originated from the City Council of Chernihiv, Ukraine. The message directed the recipient to download an archive hosted on Pixeldrain, a public file-sharing platform frequently abused in Mercenary Akula campaigns to bypass reputation-based security controls.
In a sample recovered during investigation, the sender address spoofed an employee of Real Protection Guard (RPG) Suceava, a Romanian security firm.
The malicious download chain employed multiple layers of obfuscation. The initial ZIP archive contained a nested RAR file, which in turn held a password-protected 7-Zip archive, with the password provided in an accompanying file. The final payload was an executable disguised as a PDF through a double-extension technique. When executed, it deployed an MSI installer for the legitimate remote administration tool Remote Manipulator System (RMS).
Mercenary Akula previously was observed incorporating “living-off-the-land” approach, leveraging commercially available remote access software such as LiteManager and Remote Utilities, as well as remote access trojans like Remcos and QuasarRAT.
Further analysis indicates the “court request” theme is part of a broader, long-running campaign employing multiple tailored social engineering lures. In parallel with judicial impersonation, the actor has deployed phishing messages referencing M.E.Doc, a Ukrainian accounting software platform that was previously targeted in June 2017 by the NotPetya ransomware attack. Hackers compromised M.E.Doc’s update server and inserted a malicious backdoor into a legitimate software update, leading to multiple infections. Authorities attributed the attack to six officers of Russia’s GRU military intelligence agency, linked to the Sandworm group.
“This attack reflects Mercenary Akula's well established and repetitive attack profile, while also offering a notable development. The group’s operations consistently converge on several defining characteristics, as documented across numerous campaigns from 2023 through 2026,” BlueVoyant’s report notes. “First, their targeting has been primarily focused on Ukraine-based entities, especially accountants and financial officers. However, this incident suggests potential probing of Ukraine-supporting institutions in Western Europe. Their psychological operations had already exhibited global reach through bomb-threat campaigns targeting Ukraine embassies and associated media.”