{
  "name": "Mercenary Akula Hits Ukraine-Supporting Financial...",
  "slug": "mercenary-akula-hits-ukraine-supporting-financial",
  "description": "A European financial institution involved in regional development and reconstruction initiatives was targeted by a social engineering attack attributed to the Russia-aligned Mercenary Akula. The attack used a spoofed Ukrainian judicial domain to deliver an email containing a link to a remote access payload. The target was a senior legal and policy advisor involved in procurement. The attack employed a multi-stage extraction process and deployed the Remote Manipulator System, a legitimate remote administration tool. This incident suggests the adversary may be expanding beyond primarily Ukraine-based targeting, potentially probing Ukraine-supporting institutions in Western Europe. The attack aligns with Mercenary Akula's established tactics, including localized social engineering, multi-stage payload delivery, and the use of signed remote administration tools.",
  "published": "2026-02-25T10:35:21+00:00",
  "created_at": "2026-02-25T10:35:21+00:00",
  "modified_at": "2026-02-25T10:55:48+00:00",
  "created_at_opencti": "2026-02-25T10:35:21+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-25",
    "cyber espionage",
    "davinci group",
    "financial theft",
    "fire cells group",
    "quasarrat",
    "remcos",
    "remote access",
    "remote manipulator system",
    "social engineering",
    "spearphishing",
    "uac-0050"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "42de03e314c4c9fd69cb042833e8d25950b0a842c28e9b2e18f363c843a9d283"
      },
      {
        "id": "",
        "name": "4f20691c7890e20af642763d030c608a96a84182e44c902aaa89d4f1394dac0a"
      },
      {
        "id": "",
        "name": "f5ab8640a0ae68f25dcd0a7461266a46322f01a790fec8dafe7ec32a535e5d8e"
      },
      {
        "id": "",
        "name": "690ee1907bfb425a791e255eabe7351903e8a9e92089a099997afa2a8070383b"
      },
      {
        "id": "",
        "name": "d9e1a79bd2aef55b73b9d4cbc7983a77f918ea6fc344ab9c59e35bc8afaaff6f"
      },
      {
        "id": "",
        "name": "761d4add56e0766e7e6314950d5cf4ebf759d43c75e74375c2a65f29040dd6fd"
      },
      {
        "id": "",
        "name": "cd652cb4dcbc0c077bc4772fde6e7654be399517879201b820147abb58d2b9bd"
      },
      {
        "id": "",
        "name": "9b61bb9374de332fd80909f30d102043befcd569d264715b0a4d5d5a8d0762d3"
      },
      {
        "id": "",
        "name": "3d99abebdc72cd840ff42b3a5b4cf6e8e3a50616881097d0ceb058f87d2b3909"
      },
      {
        "id": "",
        "name": "28926919956c3e3f281f504c45dfe3419d4f37683806f76393f2a7c6d6e1abfa"
      }
    ],
    "malware": [
      {
        "id": "7c540925-36a7-4fc2-aaf2-5f18e92870af",
        "name": "QuasarRAT",
        "slug": "quasarrat"
      },
      {
        "id": "f631e78c-a9f6-41e4-a7c2-8e1eaa3c1013",
        "name": "Remote Manipulator System",
        "slug": "remote-manipulator-system"
      },
      {
        "id": "29d292f7-f50d-4c23-900d-035ab7488290",
        "name": "Remcos",
        "slug": "remcos"
      }
    ],
    "intrusion_sets": [
      {
        "id": "53002151-37a1-45ad-b3e6-94abfeb72357",
        "name": "Mercenary Akula",
        "slug": "mercenary-akula"
      }
    ],
    "attack_patterns": [
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b",
        "name": "T1560.001"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "7e5fbc10-b908-4ce8-8ba8-9fd70790c6ae",
        "name": "T1562.004"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Romania"
      },
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://www.bluevoyant.com/blog/mercenary-akula-hits-financial-institution",
    "https://otx.alienvault.com/pulse/699ede794dd30674f7d583d5"
  ]
}