Threat actors target email addresses, as they provide a way to access personal and confidential information.
Emails often hold valuable data such as financials, login credentials, and personal messages.
The attackers could start different kinds of cyber-attacks and propagate malware via compromised email addresses.
Cybersecurity researcher Will (@BushidoToken) recently discovered that threat actors from UAC-0050 (aka DaVinci Group) have been actively targeting and hacking thousands of email addresses to malspam campaigns.
CERT-UA reported on 22 Feb 2024 linking UAC-0050 to “The DaVinci Group,” a Russian-speaking mercenary org tied to Russian law enforcement.
UAC-0050 has been targeting Ukrainian organizations since the 2022 Russian invasion.
Besides this, it’s been attributed to 15 malspam campaigns, acting as initial access brokers for threat groups like Sandworm and Fancy Bear.
Malware analysis can be fast and simple. Just let us show you the way to:
They deliver five malware families purchased with Bitcoin from underground cybercriminals, including Remcos RAT and Quasar RAT.
CERT-UA shared artifacts like file paths and domains tied to UAC-0050 on various occasions by providing insight into their activities.
The DaVinci Group has been actively launching malspam attacks against Ukrainian targets since at least 2017.
They have targeted government ministries, local authorities, the military, and civilians with tens of thousands of harvested email addresses.
Using tactics like posing as judicial authorities or security services, they distribute malicious attachments like Remcos RAT or RemoteUtilities RMM tools to deceive victims.
Their evolving strategies show a concerning level of sophistication and persistence in their cyber operations.
CERT-UA’s artifacts and DaVinci’s website mix-up became crucial pivots. The mistake exposed DaVinci operators’ details openly, unraveling their activities effortlessly.
8161[.]uk serves as The DaVinci Group’s primary hub, showcasing their services collection. Not only that, but they also boast access to 150,000 Moscow CCTV cameras.
Since August 25, 2018, the DaVinci Project site has links to domains like davincigroup[.]online.
It connects to social media profiles, including laughable Instagram with bare Russian models showcasing laptops.
DaVinci on Instagram showcased explicit ads and glimpses of hacking and surveillance work.
The clients contact us via Telegram, with multiple business-related accounts listed on their website’s Contact Us page.
Here below, we have mentioned all the services offered:-
CERT-UA reports suggest DaVinci Group mercenaries may aid Russia in targeting Ukraine. Investigating their online presence shows capabilities but a lack of operational security.
DaVinci Group is a low-tier mercenary threat group blurring the lines between cybercrime and the Russian government.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…