Executive Summary
On May 25, 2026, Ukrainian organizations received a mass spearphishing campaign impersonating the State Tax Service of Ukraine. The emails contained threats regarding tax debts and freezing of accounts if immediate action was not taken. The phishing email is designed to trick the recipient into downloading a file hosted on the legitimate cloud storage service BackBlaze.
The payload was a pre-configured LiteManager Pro v5.0 remote access tool (RAT). LiteManager Pro is legitimate commercial software. The attackers pre-configured it to beacon to operator-controlled servers, enabling full remote access to compromised systems.
Digital Security Lab Ukraine investigated this campaign, which is very likely conducted by UAC-0050 (also known as DaVinci Group, Mercenary Akula), with moderate confidence. CERT-UA, which has tracked this group over an extended period, assesses its activities to encompass information theft (cyber espionage), financial theft, and information-psychological operations conducted under the Fire Cells Group brand.
The delivery method and tooling are consistent with this actor’s documented patterns. CERT-UA published a report on a similar campaign back in 2024. However, the C2 configuration contains unusually explicit actor labels – including “DaVinci Group” and “UAC-0050” – which is atypical for a professional operation and raises the possibility of a false-flag campaign.
Attack Chain
The attack moves through six stages from email to active remote access.
Stage 1: Phishing email
The email samples we examined were sent from the following email addresses: gu.dpc[@]medocc[.]com[.]ua or support[@]medocc[.]com[.]ua. The domain medocc[.]com[.]ua was registered on March 16, 2026 – 71 days before the campaign launch. It impersonates medoc[.]com[.]ua, the legitimate domain for M.E.Doc, a widely used accounting software in Ukraine. This software has repeatedly been the target of cyberattacks, including the well-known NotPetya wiper campaign.
The email subject “Tax Demand – ORGANIZATION NAME” is personalized per recipient.
The email body is written in Ukrainian. It pulls logos from official State Tax Service and M.E.Doc websites. It claims an outstanding tax debt of 9,871 UAH (approx. 222 USD) with a two-day deadline. A button labeled “Download” links to a BackBlaze URL hosting the payload.
Stage 2: BackBlaze delivery
Clicking the link downloads “Архів податкової вимоги.277116.rar” from an adversary-controlled BackBlaze bucket (nbuotp2). BackBlaze is a legitimate cloud backup and storage service. Using reputable infrastructure avoids reputation-based blocks and makes the link appear harmless.
Stage 3: Double archive with out-of-band password
The outer RAR contains two files:
“Пароль та інструкція до архіву.txt” – a plain text file containing the archive password.
“Захищені файли податкової вимоги.rar” – a password-protected inner archive.
Putting the password inside the same archive may seem counterproductive, but it defeats automated AV scanning. Most scanners cannot unpack password-protected archives.
Stage 4: Decoy documents and dropper
The inner password-protected archive contains three files:
“Контакти Державної податкової служби України.txt” – decoy State Tax Service contacts
“Про затвердження Порядку направл…від 30.06.2017 № 610.pdf” – decoy document
“Податкова вимога форми «Ю».exe” – the malicious dropper
The PDF is a genuine 2017 Ukrainian government regulatory document. The attacker did not fabricate it – they fetched the public online version and printed it to PDF.
Stage 5: SFX dropper
“Податкова вимога форми «Ю».exe” is a WinRAR Self-Extracting Archive (SFX). When run, it extracts “1.msi” to %TEMP% and executes it with the option “/qn” (quiet mode, no user interface).
Stage 6: Silent MSI install
1.msi (35d080f1d2dd35a22e0aa1d83479b1fb42fa73edbca8b969bb72a6cfae4a0694) is a pre-configured LiteManager Pro v5.0 Server installer. It installs LiteManager as a Windows service. The service starts automatically and connects outbound to the operator’s C2 infrastructure. The victim sees nothing.
The files from the previous stages had unique hash values, except for 1.msi. This frustrates static hash-based detection.
Malware Analysis
LiteManager Pro is a legitimate commercial remote administration tool developed by LiteManagerTeam, a Russian company. Enterprises use it for remote IT support. The software has a valid certificate and is not flagged as malicious by most antivirus products. Attackers abuse it because it provides full remote control while evading detection.
The installed version is pre-configured for covert operation:
Once installed, the operator gains full remote access: desktop viewing and control, file transfer, remote command execution, keylogging via HookDrv.dll, and screen recording.
The MSI also configures a Windows Firewall exception for LiteManager automatically. The victim sees no UAC prompt and no firewall alert.
C2 Configuration
The MSI embeds 239 pre-configured callback hostnames. This is not a list of 239 active C2 servers. Most entries are decoys, noise, or references to legitimate services (such as my.diia.gov.ua, a-bank.com.ua, opendatabot.ua, which appear as labeled targets rather than attacker infrastructure).
We suggest, that real C2 infrastructure is identified by operator labels in the configuration. The two primary named domains are darkmoney[.]ag (labeled “stealer”) and 8161[.]uk (labeled “rezerv” and “My Local SRV Davinci Group”). Several IP subnets carry labels referencing “DaVinci Group” and “UAC-0050” directly.
The software uses TCP on port 5651 (native LiteManager protocol) and TCP on ports 443/80 for firewall evasion.
Defensive Measures
• Build awareness – it’s your strongest cheapest defense.
Regularly inform employees and partners about phishing techniques used in attacks like this one. Sustained awareness is the most effective preventive measure, as it builds a healthy, well-founded suspicion toward unexpected messages requesting urgent action.
• Make it easy to ask for help.
Establish a clear, easy-to-use process for employees to submit suspicious messages, files, or unusual system activity for review – the easier it is to ask, the less likely people are to ignore warning signs. Digital Security Lab Ukraine (DSLU) provides this verification service: forward suspicious emails directly to [email protected].
• Treat any password-protected archive as a red flag.
A password-protected archive arriving by email – especially when the password is provided in the same message – should be treated as suspicious by default, since this pattern is a deliberate attempt to bypass automated scanning. Legitimate organizations never deliver documents this way.
• Block password-protected archives and high-risk file types at the email gateway.
If your organization uses a centrally managed email platform such as Google Workspace or Microsoft 365, configure it to quarantine or reject inbound and outbound password-protected archives, as well as executable and other high-risk file types. This single control removes a large amount of delivery mechanisms before a file ever reaches an employee’s inbox.
• Enable file extension display and train employees to recognize spoofed file types.
Configure all endpoints to always display full file extensions, and regularly train staff to verify the actual extension of any file before opening it. Attackers routinely use double extensions (e.g., document.pdf.exe) and forged file icons to disguise malicious executables as harmless documents – the icon can be spoofed, the extension cannot be hidden if the system is configured correctly.
• For organizations with larger capacity: monitor, restrict, and detect.
Organizations with sufficient technical capacity should monitor network traffic for connections to known remote access tool ports, block LiteManager’s default communication ports at the perimeter, deploy endpoint detection solutions capable of identifying unauthorized remote access tools, and enforce the principle of least privilege – restricting user and system permissions to the minimum required for work.
IOCs:
| Податкова вимога форми «Ю».exe | 47bc57ce529d9ff38cdc704bc9f63f329811e7c017c8cb6918b45b9e7b6a071b |
| Податкова вимога форми «Ю».exe | 0bdb513608170031d25170f5ab37e0d1e8b0809b777aa3e1e60e1f7a7b99ef6f |
| Податкова вимога форми «Ю».exe | 0e8f20a9404885707a8153e4690e97cbf1eb9407404b00fb864df21c13550b98 |
| 1.msi | 35d080f1d2dd35a22e0aa1d83479b1fb42fa73edbca8b969bb72a6cfae4a0694 |
| ROMServer.exe | 70186f0710d1402371ce2e6194b03d8a153443cea5ddb9fc57e7433cce96ae02 |
| ROMViewer.exe | |
| ROMFUSClient.exe | 33d1a34fec88ce59beb756f5a274ff451caf171a755aae12b047e678929e8023 |
| File path | %ProgramFiles%\LiteManager Pro – Server\ROMServer.exe |
| File path | %ProgramFiles%\LiteManager Pro – Server\ROMFUSClient.exe |
| File path | %ProgramFiles%\LiteManager Pro – Server\HookDrv.dll |
| Registry entry | HKLM\SYSTEM\LiteManager\v3.4\Server\Parameters |
| Suggested C2 | darkmoney[.]ag |
| Suggested C2 | 8161[.]uk |
| Suggested C2 | windowsupd[.]to |
| Suggested C2 | 45.80.229[.]94 |