The cyber-espionage landscape in Eastern Europe has witnessed a significant escalation with the rapid evolution of the GIFTEDCROOK infostealer, attributed to the threat group UAC-0226.
Originally identified as a rudimentary browser credential stealer, GIFTEDCROOK has undergone a series of technical upgrades since its inception in early 2025, transforming into a sophisticated intelligence-gathering tool.
This development coincides with heightened geopolitical events, notably the Ukraine-Russia negotiations in Istanbul, suggesting a deliberate alignment of cyber operations with strategic diplomatic milestones.
Technical Evolution
Initial samples of GIFTEDCROOK, detected in February 2025, functioned primarily as proof-of-concept malware, exfiltrating browser data to attacker-controlled Telegram channels.
By March, the malware entered active deployment, with subsequent versions (v1.2 and v1.3) introducing advanced features such as encrypted document theft, selective file targeting based on extension and modification date, and enhanced anti-analysis techniques.
The latest variant, v1.3, is capable of harvesting a broad array of sensitive files including proprietary documents and OpenVPN configurations while maintaining persistent access to compromised systems.
The primary infection vector remains spear-phishing, leveraging highly credible military-themed PDF lures.
According to Arctic Wolf Labs Report, these phishing emails often spoofed from Ukrainian-controlled cities like Uzhhorod, are crafted to exploit the urgency of administrative fines or military mobilization.
Upon opening the malicious attachment, victims are redirected to weaponized cloud-hosted files (typically on Mega.nz), which subsequently deploy OLE-laden Excel documents.
These documents employ social engineering tactics, such as instructing users to enable macros under the guise of correcting font errors, thereby triggering the execution of the GIFTEDCROOK payload.
Data Exfiltration
Once executed, GIFTEDCROOK systematically searches for files matching specific extensions (.doc, .pdf, .ovpn, among others) and browser secrets across Chrome, Edge, and Firefox.
The malware compresses and encrypts the collected data, exfiltrating it via Telegram bot APIs to attacker-controlled channels.
Notably, the malware’s infrastructure overlaps with other campaigns utilizing commercial Remote Access Trojans (RATs) such as NetSupport, indicating a coordinated, multi-pronged approach to intelligence collection against Ukrainian governmental and military targets.
Technical analysis reveals the use of weak Sender Policy Framework (SPF) settings in phishing emails, facilitating spoofing and complicating attribution.
The malware also employs batch scripts for self-deletion, minimizing forensic footprints post-exfiltration.
The evolution of GIFTEDCROOK underscores a shift from opportunistic credential theft to targeted intelligence operations supporting broader geopolitical objectives.
The campaign’s timing coinciding with Ukraine’s martial law extensions and critical negotiation periods highlights the threat actor’s intent to inform military and diplomatic decision-making processes.
Defensive recommendations include the deployment of Secure Email Gateways, Endpoint Detection and Response (EDR) solutions, and comprehensive security awareness training to counter social engineering.
Organizations are urged to monitor for anomalous Telegram API communications, suspicious file paths, and the distinctive file search patterns characteristic of GIFTEDCROOK.
Indicators of Compromise (IOC)
| Type | Indicator / Value | Description / Version |
| SHA-256 | a6dd44c4b7a9785525e7f487c064995dc5f33522dad8252d8637f6a6deef3013 | GIFTEDCROOK v1.2 PE implant |
| SHA-256 | b9d508d12d2b758091fb596fa8b8b4a1c638b7b8c11e08a1058d49673f93147d | GIFTEDCROOK v1.3 PE implant |
| SHA-256 | 1974709f9af31380f055f86040ef90c71c68ceb2e14825509babf902b50a1a4b | Malicious PDF lure |
| SHA-256 | f6b03fa3ea7fd2c4490af19b3331f7ad384640083757a3cede320ca54c7b0999 | Malicious .xlsm OLE document |
| Telegram API URL | hxxps://api[.]telegram[.]org/bot7806388607:AAFb6nCE21n6YmK6-bJA6IrcLTLfhlwQ254/sendDocument | Exfiltration channel v1.2 |
| Telegram API URL | hxxps://api[.]telegram[.]org/bot7726014631:AAFe9jhCMsSZ2bL7ck35PP30TwN6Gc3nzG8/sendDocument | Exfiltration channel v1.3 |
| File Path | %ProgramData%\Infomaster\Infomaster | GIFTEDCROOK v1.2 implant path |
| File Path | %ProgramData%\PhoneInfo\PhoneInfo | GIFTEDCROOK v1.3 implant path |
| Temp Directory | C:\Users%Username%\AppData\Local\Tempa−zA−Z0−9]13a-zA-Z0-9]{13}a−zA−Z0−9]13a-zA-Z0-9]{13} | Temporary storage for exfiltrated data |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
