GIFTEDCROOK's Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Uk
Summary:
Arctic Wolf Labs has unveiled a sophisticated and rapidly escalating cyber-espionage campaign attributed to UAC-0226, centered around the potent and stealthy malware, GIFTEDCROOK. What began as a rudimentary browser data stealer in February 2025 went through swift development to release subsequent versions (v1.2 and v1.3) by June 2025, transforming into a comprehensive surveillance tool. This evolution, strategically timed with Ukraine-Russia peace negotiations, underscores a shift towards broad intelligence gathering from Ukrainian governmental and military entities. The initial access vector for these attacks involves meticulously crafted, military-themed phishing emails spoofing senders from Ukrainian cities, often containing weaponized PDFs that trick victims into enabling macros, to then deploy the GIFTEDCROOK portable executable disguised under the directory Infomaster. This malware then systematically identifies, organizes, encrypts, compresses, and exfiltrates a wide array of sensitive documents and browser secrets via Telegram bot APIs, using unique XOR keys and targeting specific file types.
While version 1 primarily focused on stealing browser credentials, using unencrypted configurations, and exfiltrating data via ZIP files, version 1.2 marked a notable advancement, introducing the ability to collect files based on their extensions, implementing custom XOR string encryption, and expanding the range of targeted document types. Finally, version 1.3 integrated all the functionalities of its predecessors while adding new features designed to enhance stealth and efficiency. These features include a 45-day file timestamp filter, increased maximum file size limits, and sleep evasion techniques to bypass sandbox detection.
Security Officer Comments:
The findings regarding UAC-0226's GIFTEDCROOK campaign highlight several critical aspects for cybersecurity professionals. Firstly, the accelerated development cycle from a basic infostealer to a full-fledged surveillance tool within a mere five months is interesting, indicating significant resources and strategic development intent from the threat actor. The deliberate timing of malware upgrades to coincide with sensitive geopolitical events, specifically the Ukraine-Russia peace negotiations, strongly suggests a direct nexus between these cyber operations and non-cyber intelligence objectives. The malware's capabilities showcase a mature operation designed for stealth and efficient data theft. According to Arctic Wolf, the overlap in phishing infrastructure with other known campaigns, including NetSupport RAT infections, points to potential collaborative efforts among multiple threat groups or subgroups, or a shared infrastructure provider, underscoring the interconnectedness of the cyber threat landscape.
Suggested Corrections:
IOCs are available here.
Arctic Wolf recommendations:
Detection opportunities exist through monitoring for the specific file paths mentioned in this report, Telegram API communications, and the distinctive file search patterns employed by the malware.
Since the threat group uses spear-phishing as an initial attack vector, there are many common-sense protections organisations and individuals can use to protect themselves against this type of attack. Organisations should train employees to identify and counter phishing attacks, and consider conducting regular internal phishing tests to reinforce security training.
In addition, organizations can protect themselves by exercising the following measures:
https://arcticwolf.com/resources/blog-uk/giftedcrooks-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform-during-critical-ukraine-negotiations/
Arctic Wolf Labs has unveiled a sophisticated and rapidly escalating cyber-espionage campaign attributed to UAC-0226, centered around the potent and stealthy malware, GIFTEDCROOK. What began as a rudimentary browser data stealer in February 2025 went through swift development to release subsequent versions (v1.2 and v1.3) by June 2025, transforming into a comprehensive surveillance tool. This evolution, strategically timed with Ukraine-Russia peace negotiations, underscores a shift towards broad intelligence gathering from Ukrainian governmental and military entities. The initial access vector for these attacks involves meticulously crafted, military-themed phishing emails spoofing senders from Ukrainian cities, often containing weaponized PDFs that trick victims into enabling macros, to then deploy the GIFTEDCROOK portable executable disguised under the directory Infomaster. This malware then systematically identifies, organizes, encrypts, compresses, and exfiltrates a wide array of sensitive documents and browser secrets via Telegram bot APIs, using unique XOR keys and targeting specific file types.
While version 1 primarily focused on stealing browser credentials, using unencrypted configurations, and exfiltrating data via ZIP files, version 1.2 marked a notable advancement, introducing the ability to collect files based on their extensions, implementing custom XOR string encryption, and expanding the range of targeted document types. Finally, version 1.3 integrated all the functionalities of its predecessors while adding new features designed to enhance stealth and efficiency. These features include a 45-day file timestamp filter, increased maximum file size limits, and sleep evasion techniques to bypass sandbox detection.
Security Officer Comments:
The findings regarding UAC-0226's GIFTEDCROOK campaign highlight several critical aspects for cybersecurity professionals. Firstly, the accelerated development cycle from a basic infostealer to a full-fledged surveillance tool within a mere five months is interesting, indicating significant resources and strategic development intent from the threat actor. The deliberate timing of malware upgrades to coincide with sensitive geopolitical events, specifically the Ukraine-Russia peace negotiations, strongly suggests a direct nexus between these cyber operations and non-cyber intelligence objectives. The malware's capabilities showcase a mature operation designed for stealth and efficient data theft. According to Arctic Wolf, the overlap in phishing infrastructure with other known campaigns, including NetSupport RAT infections, points to potential collaborative efforts among multiple threat groups or subgroups, or a shared infrastructure provider, underscoring the interconnectedness of the cyber threat landscape.
Suggested Corrections:
IOCs are available here.
Arctic Wolf recommendations:
Detection opportunities exist through monitoring for the specific file paths mentioned in this report, Telegram API communications, and the distinctive file search patterns employed by the malware.
Since the threat group uses spear-phishing as an initial attack vector, there are many common-sense protections organisations and individuals can use to protect themselves against this type of attack. Organisations should train employees to identify and counter phishing attacks, and consider conducting regular internal phishing tests to reinforce security training.
In addition, organizations can protect themselves by exercising the following measures:
- Consider the use of Secure Email Gateway solutions, to help proactively filter out malicious emails.
- Implement an Endpoint Detection and Response (EDR) solution
- Ensure all employees throughout the company are aware of good security hygiene practices, including awareness of social engineering.
- Add or enable a phishing report button to your organisation’s email solution to empower employees to immediately report suspected phishing emails to your security team.
- Foster a culture where employees feel safe reporting suspected phishing attempts, even those they may have inadvertently fallen for.
https://arcticwolf.com/resources/blog-uk/giftedcrooks-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform-during-critical-ukraine-negotiations/