The risk actor behind the GIFTEDCROOK malware has made important updates to show the trojan horse from a fundamental browser knowledge stealer to a potent intelligence-gathering instrument.
“Current campaigns in June 2025 reveal GIFTEDCROOK’s enhanced capability to exfiltrate a broad vary of delicate paperwork from the gadgets of focused people, together with doubtlessly proprietary recordsdata and browser secrets and techniques,” Arctic Wolf Labs stated in a report printed this week.
“This shift in performance, mixed with the content material of its phishing lures, […] suggests a strategic deal with intelligence gathering from Ukrainian governmental and army entities.”
GIFTEDCROOK was first documented by the Laptop Emergency Response Group of Ukraine (CERT-UA) in early April 2025 in reference to a marketing campaign concentrating on army entities, regulation enforcement companies, and native self-government our bodies.
The exercise, attributed to a hacking group it tracks as UAC-0226, entails the usage of phishing emails containing macro-laced Microsoft Excel paperwork that act as a conduit to deploy GIFTEDCROOK.
An data stealer at its core, the malware is designed to steal cookies, shopping historical past, and authentication knowledge from common net browsers equivalent to Google Chrome, Microsoft Edge, and Mozilla Firefox.
Arctic Wolf’s evaluation of the artifacts has revealed that the stealer began off as a demo in February 2025, earlier than gaining new options with variations 1.2 and 1.3.
These new iterations embody the flexibility to reap paperwork and recordsdata under 7 MB in dimension, particularly in search of recordsdata created or modified throughout the final 45 days. The malware particularly searches for the next extensions: .doc, .docx, .rtf, .pptx, .ppt, .csv, .xls, .xlsx, .jpeg, .jpg, .png, .pdf, .odt, .ods, .rar, .zip, .eml, .txt, .sqlite, and .ovpn.
The e-mail campaigns leverage military-themed PDF lures to entice customers into clicking on a Mega cloud storage hyperlink that hosts a macro-enabled Excel workbook (“Список оповіщених військовозобов’язаних організації 609528.xlsm”), inflicting GIFTEDCROOK to be downloaded when the recipient activates macros. Many customers do not realize how frequent macro-enabled Excel recordsdata are in phishing assaults. They slip previous defenses as a result of individuals typically count on spreadsheets in work emails—particularly ones that look official or government-related.
The captured data is bundled right into a ZIP archive and exfiltrated to an attacker-controlled Telegram channel. If the overall archive dimension exceeds 20 MB, it’s damaged down into a number of elements. By sending stolen ZIP archives in small chunks, GIFTEDCROOK avoids detection and skips round conventional community filters. Within the remaining stage, a batch script is executed to erase traces of the stealer from the compromised host.
This is not nearly stealing passwords or monitoring on-line conduct—it is focused cyber espionage. The malware’s new capability to sift by way of latest recordsdata and seize paperwork like PDFs, spreadsheets, and even VPN configs factors to an even bigger aim: gathering intelligence. For anybody working in public sector roles or dealing with delicate inner reviews, this sort of doc stealer poses an actual danger—not simply to the person, however to the whole community they’re linked to.
“The timing of the campaigns mentioned on this report demonstrates clear alignment with geopolitical occasions, notably the latest negotiations between Ukraine and Russia in Istanbul,” Arctic Wolf stated.
“The development from easy credential theft in GIFTEDCROOK model 1, to complete doc and knowledge exfiltration in variations 1.2 and 1.3, displays coordinated improvement efforts the place malware capabilities adopted geopolitical goals to boost knowledge assortment from compromised programs in Ukraine.”
