Threat Actors Transform GIFTEDCROOK Stealer into an Intelligence-Gathering Tool

The Arctic Wolf Labs team has uncovered a dramatic transformation in the capabilities of the GIFTEDCROOK infostealer, wielded by the threat group UAC-0226.

Initially identified as a rudimentary browser data stealer in early 2025, this malware has undergone rapid evolution through versions 1.2 and 1.3, morphing into a sophisticated intelligence-gathering tool by June 2025.

This progression reflects a deliberate strategy to target sensitive data from Ukrainian governmental and military entities, aligning with critical geopolitical events such as the Ukraine peace negotiations in Istanbul.

Evolution of a Cyber-Espionage Weapon

The malware’s enhanced ability to exfiltrate a wide array of proprietary documents and browser secrets underscores a shift toward comprehensive data collection, likely aimed at supporting covert intelligence objectives during periods of diplomatic and military significance.

Delving into the technical intricacies, GIFTEDCROOK’s initial version (v1) focused solely on extracting browser credentials, with data exfiltration facilitated through openly visible Telegram bot channels.

By version 1.2, introduced around the June 2, 2025, Istanbul Agreement discussions, the malware expanded to target specific file types by extension, employing string encryption via a custom XOR algorithm and compressing stolen data into encrypted zip archives before transmission.

Version 1.3 further refined this approach, integrating capabilities to steal both browser secrets and files modified within the last 45 days, up from 15 days in v1.2, while increasing the file size limit for exfiltration to 7 MB.

Strategic Deployment

The attack vector primarily relies on spear-phishing emails with military-themed PDF lures, often spoofing locations in Western Ukraine like Uzhhorod, and concealing true targets behind decoy recipients such as authorities in Bakhmut.

These phishing campaigns exploit social engineering tactics, leveraging themes of military mobilization and administrative fines to instill urgency, tricking victims into enabling macros in malicious OLE documents that ultimately deploy the malware payload.

A notable overlap in email infrastructure with other campaigns, including those deploying NetSupport RAT, suggests a coordinated, multi-pronged effort by various threat groups targeting Ukraine, focusing on persistence and stealthy data theft.

The strategic timing of these attacks, coinciding with Ukraine’s extended martial law and intensified recruitment efforts, amplifies their impact.

GIFTEDCROOK’s ability to harvest OpenVPN configurations and administrative documents provides threat actors with critical network access credentials and organizational intelligence, paving the way for future operations.

Arctic Wolf Labs recommends robust defenses, including Secure Email Gateways, Endpoint Detection and Response (EDR) solutions, and comprehensive employee training on phishing awareness to mitigate such threats.

As GIFTEDCROOK continues to adapt, its alignment with geopolitical objectives signals an ongoing and evolving cyber risk to targeted regions.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates