Infostealer-turned-Battlefield Weapon

What began as a lightweight browser data stealer has transformed into a highly targeted cyberespionage tool. First identified by CERT-UA in April 2025, GIFTEDCROOK was originally deployed in phishing campaigns aimed at Ukraine’s military, law enforcement, and local authorities. Early versions harvested browser cookies, history, and login data. But recent campaigns, observed in June 2025 and analyzed by Arctic Wolf Labs, reveal a decisive evolution: the malware has expanded its capabilities to extract a broad spectrum of sensitive documents—suggesting not just technical enhancement, but a fundamental shift in mission.

These developments coincide with sensitive geopolitical negotiations and rising tensions in Eastern Europe. The use of military-themed phishing lures, such as PDFs and Excel spreadsheets disguised as official mobilization notices, highlights a strategic aim: not merely to disrupt or steal credentials, but to infiltrate institutions and exfiltrate intelligence from within. GIFTEDCROOK, in its latest iterations (v1.2 and v1.3), is no longer just malware. It is a targeted instrument of state-level cyberespionage, built to harvest confidential reports, strategic documentation, and internal communications across government and defense networks.

From Bookmarks to Battlefield Secrets

This is not a broad phishing campaign targeting the general public. The victims were carefully selected for their roles inside the Ukrainian state apparatus. These include individuals in military units, law enforcement agencies, regional governments, and public sector institutions. The common denominator is access—victims hold positions that grant them visibility into internal workflows, restricted documentation, and organizational decision-making.

By compromising these specific user profiles, the threat actor (tracked as UAC-0226) gains access to files that go far beyond browser data: internal situation reports, spreadsheets related to logistics or personnel, sensitive PDFs, and even VPN configurations or exported emails. In aggregate, this data provides visibility into how key agencies communicate, how operations are planned, and which tools are in use—giving adversaries a tactical advantage in shaping or countering Ukrainian actions at the administrative, military, and strategic level.

Black Ops

The attack chain follows a refined delivery strategy. Victims receive spear-phishing emails laced with urgency and formality. The messages link to a Mega-hosted Excel file named “Список оповіщених військовозобов’язаних організації 609528.xlsm”—purportedly a conscription list. When the user enables macros, the GIFTEDCROOK malware is silently dropped and executed on the system.

Once deployed, the stealer begins a two-pronged exfiltration process. First, it targets browser-stored credentials, cookies, and session history across Chrome, Edge, and Firefox. Second, it scans the system for any file under 7MB that has been created or modified within the past 45 days. Targeted extensions include: .doc, .docx, .xls, .xlsx, .pdf, .jpeg, .zip, .eml, .ovpn, and many others. These files—often operational reports or communication logs—are collected, compressed into a ZIP archive, and exfiltrated to a Telegram channel under the attacker’s control. If the archive exceeds 20MB, it is split into chunks to avoid detection by DLP systems. A final batch script wipes all evidence of the malware from the host system, making forensic analysis difficult.

The level of stealth, combined with the specificity of the file types and timeframes targeted, reinforces the conclusion that GIFTEDCROOK is no longer a general-purpose stealer—it is an intelligence-gathering implant tuned for tactical extraction.

GIFTEDCROOK’s Surrender

To defend against these campaigns, organizations should implement layered security policies focused on both prevention and detection:

• Disable macros by default in Microsoft Office files, especially those from untrusted sources.

• Restrict access to cloud storage and messaging services like Mega and Telegram on enterprise and government networks.

• Monitor file creation and modification logs to detect anomalies involving recent documents.

• Flag and investigate the creation of ZIP files sent in small chunks, which may signal covert exfiltration.

• Enforce secure, monitored, and access-controlled channels for all internal document sharing.

https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html?m=1