A significant cyber-espionage campaign targeting Ukrainian organizations has been attributed to the UAC-0226 hacking group, with the recent deployment of a new malware strain dubbed GIFTEDCROOK.
According to CERT-UA’s latest security alert (CERT-UA#14303), issued on April 6, 2025, UAC-0226 has been actively exploiting Ukrainian critical sectors since February 2025, focusing on military innovation hubs, armed forces units, law enforcement agencies, and regional government bodies near the conflict-prone eastern borders of Ukraine.
The malicious campaign aims to steal sensitive data through phishing attacks and advanced malware techniques, escalating the risk to national security and institutional operations.
Phishing Entry Points and GIFTEDCROOK Malware
The UAC-0226 campaign heavily relies on spear-phishing techniques, using macro-enabled Excel files (.xlsm) as attack vectors.
These malicious documents, commonly themed around topics such as landmine clearance, drone production, administrative fines, and compensation for property loss, contain base64-encoded payloads embedded in Excel cells.
When the victim enables macros, the embedded payloads are decoded into executable files, saved without extensions, and executed on the target machine, initiating the malware infection chain.
The attackers have utilized two distinct malware strains in the campaign. One is a .NET-based tool incorporating a PowerShell reverse shell script obtained from the publicly accessible GitHub repository PSSW100AVB.
The second, more sophisticated tool is the GIFTEDCROOK stealer. Written in C/C++, GIFTEDCROOK specifically targets popular web browsers such as Chrome, Edge, and Firefox, extracting sensitive data, including cookies, browsing history, and saved credentials.
The stolen data is then archived using PowerShell’s Compress-Archive cmdlet before being exfiltrated via Telegram.
UAC-0226 has further exacerbated the threat by sending phishing emails from compromised accounts, leveraging webmail platforms to increase the likelihood of successful attacks.
CERT-UA Recommendations and Defense Strategies
In light of the growing threat, CERT-UA strongly advises system administrators and security teams to enhance email and web server log monitoring to identify and mitigate malicious activity.
Ensuring comprehensive coverage of logs can aid in detecting phishing attempts originating from compromised accounts.
Moreover, organizations are encouraged to leverage proactive detection mechanisms and threat intelligence tools.
The SOC Prime Platform has curated a dedicated collection of Sigma rules to help defenders identify UAC-0226’s activities covered under CERT-UA#14303.
These rules are enriched with actionable intelligence aligned with the MITRE ATT&CK® framework, enabling security teams to deploy effective detection and mitigation strategies across various SIEM, EDR, and data lake solutions.
Additionally, SOC Prime’s Uncoder AI tool allows security engineers to automate the conversion of Indicators of Compromise (IOCs) from CERT-UA’s research into custom detection queries, helping organizations efficiently hunt for UAC-0226 attacks in their environments.
According to the Report, CERT-UA has mapped UAC-0226’s attack techniques to the MITRE ATT&CK® framework, highlighting key tactics and techniques observed in the campaign.
These include spear-phishing attachments (T1566.001) for initial access, use of scripting interpreters like PowerShell and Visual Basic (T1059.001 and T1059.005) for execution, data compression for collection (T1560), and exfiltration over web services (T1567).
GIFTEDCROOK’s use of Telegram for exfiltration exemplifies abuse of web-based communication channels as an emerging adversary tactic.
With cyber-espionage activity accounting for 44% of reported incidents in 2024, as per CERT-EU’s Threat Landscape Report, the current UAC-0226 campaign underscores the persistent threats posed by state-sponsored actors in compromising critical sectors.
Ukrainian organizations, particularly those involved in defense and government operations, remain at the forefront of these targeted campaigns.
Security teams are urged to adopt advanced threat detection and response measures while maintaining robust cybersecurity hygiene to mitigate the impact of increasingly stealthy and persistent attacks like GIFTEDCROOK.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
