GIFTEDCROOK Malware
The threat actor behind the GIFTEDCROOK malware has made significant updates, turning the malicious program from a basic browser data stealer into a potent intelligence-gathering tool.
In recent campaigns from June 2025, GIFTEDCROOK clearly demonstrates its enhanced ability to exfiltrate a broad range of sensitive documents from the devices of targeted individuals. These files include potentially proprietary documents and browser secrets, according to a report Arctic Wolf Labs published this week.
Moreover, this shift in functionality—when combined with the content of its phishing lures—strongly suggests a strategic focus on intelligence gathering from Ukrainian governmental and military entities.
How it works
The Computer Emergency Response Team of Ukraine (CERT-UA) first documented GIFTEDCROOK in early April 2025 during a campaign that specifically targeted military entities, law enforcement agencies, and local self-government bodies.
CERT-UA attributed the activity to a hacking group it tracks as UAC-0226. This group uses phishing emails that carry macro-laced Microsoft Excel documents, which serve as the conduit for deploying GIFTEDCROOK.
At its core, this information stealer targets cookies, browsing history, and authentication data from popular web browsers, including Google Chrome, Microsoft Edge, and Mozilla Firefox.
Arctic Wolf’s analysis of related artifacts confirms that the stealer began as a demo in February 2025. Shortly thereafter, it gained new features through versions 1.2 and 1.3.
Newest Versions
These upgraded versions now harvest documents and files smaller than 7MB, specifically scanning for items created or modified within the last 45 days. The malware searches for files with the following extensions: .doc, .docx, .rtf, .pptx, .ppt, .csv, .xls, .xlsx, .jpeg, .jpg, .png, .pdf, .odt, .ods, .rar, .zip, .eml, .txt, .sqlite, and .ovpn.
To execute its campaigns, the group leverages military-themed PDF lures that trick users into clicking a Mega cloud storage link. That link hosts a macro-enabled Excel workbook (“Список оповіщених військовозобов’язаних організації 609528.xlsm“), which triggers the download of GIFTEDCROOK once the recipient enables macros. Many users fail to recognize how often phishing attacks use macro-enabled Excel files. These files often slip past defenses because users expect to receive spreadsheets—especially those that appear official or government-related.
Once the malware captures the data, it bundles the information into a ZIP archive and exfiltrates it to an attacker-controlled Telegram channel. If the archive exceeds 20MB, the malware splits it into smaller parts. By breaking the data into chunks, GIFTEDCROOK avoids detection and bypasses traditional network filters. In the final stage, it runs a batch script to erase all traces of the stealer from the compromised host.
This campaign does more than steal passwords or track online behavior—it advances targeted cyber espionage. The malware’s new ability to sift through recent files and collect documents such as PDFs, spreadsheets, and even VPN configurations reveals a broader objective: harvesting intelligence. For public sector employees or anyone managing sensitive internal reports, this type of document stealer presents a significant risk—not only to individuals but to the networks they access.
Conclusion
Furthermore, Arctic Wolf noted that the timing of these campaigns aligns closely with geopolitical events, particularly the recent negotiations between Ukraine and Russia in Istanbul.
In conclusion, the progression from simple credential theft in GIFTEDCROOK version 1 to comprehensive document and data exfiltration in versions 1.2 and 1.3 reflects coordinated development efforts. The malware’s evolving capabilities have clearly followed geopolitical objectives aimed at enhancing data collection from compromised systems in Ukraine.
Source: TheHackerNews
Read more at Impreza News
