UAC-0050

UAC-0050 is a Ukraine-focused threat actor tracked by CERT-UA and others. The group is also referred to as DaVinci Group; BlueVoyant uses the cluster name Mercenary Akula. CERT-UA describes UAC-0050 as a mercenary group associated with Russian law-enforcement structures/agencies and reports that it has conducted cyber-espionage, theft of funds, and information-psychological operations under the Fire Cells Group brand. CERT-UA also reported that the group announced cessation of activity under the DaVinci Group brand shortly before Russia’s 2022 invasion. Targeting has primarily focused on organizations in Ukraine, including accountants, financial officers, enterprises, individual entrepreneurs, government entities, energy-sector organizations, and other Ukrainian organizations. Reporting also describes phishing against multiple organizations in Ukraine, including campaigns masquerading as Ukrainian tax authorities and the Security Service of Ukraine. BlueVoyant reported a social-engineering operation against an unnamed European financial institution involved in regional development and reconstruction initiatives, assessing this may indicate probing of Western European institutions that support Ukraine. Observed tradecraft centers on phishing and social engineering with legal, tax, court, and payment-document lures, often using archives, encrypted or zipped PDFs, LNK/VBS/BAT chains, and URLs leading to staged payload delivery. The actor has repeatedly used legitimate remote access and remote monitoring tools as payloads, including NetSupport RAT, Remote Utilities, Remote Manipulator System (RMS), LiteManager, REMCOS/Remcos RAT, TEKTONITRMS, and other RATs and stealers cited by CERT-UA such as QUASAR RAT, VENOM RAT, LUMMASTEALER, MEDUZASTEALER, XENORAT, SECTOPRAT, MARSSTEALER, and DARKTRACKRAT. Proofpoint observed UAC-0050 delivering zipped PDFs with URLs that ultimately installed NetSupport using the license name XMLCTL, and noted similar JavaScript-based delivery mechanisms and overlapping NetSupport configuration with ZPHP, while explicitly stating this overlap does not prove they are the same actor. CERT-UA also linked behavior from a Remcos RAT phishing campaign and a February attack using Remote Utilities, and suggested tracking UAC-0050 and UAC-0096 under a single identifier, UAC-0050, based on behavioral similarities. CERT-UA reported that during September-October 2024 UAC-0050 used unauthorized access to accountants’ computers and remote administration tools to conduct at least 30 attempted thefts from Ukrainian companies and individual entrepreneurs by forging payments through remote banking systems, with stolen funds often converted to cryptocurrency. CERT-UA further assessed UAC-0050 as the most active threat in Q1 2024, with at least 15 campaigns recorded by 22 February 2024.