June 30, 2025 — A newly spotted malware strain appears to be stepping up its game in Ukraine’s digital conflict zone. What started as a basic script focused on scraping browser info has now turned into something much more intrusive. Researchers tracking this tool—nicknamed GiftedCrook—say it’s no longer just lifting saved passwords. It’s now digging into private files, sensitive documents, and anything else it can quietly grab from infected machines. This new activity came to light through research shared by a leading threat intel team.
The latest versions of the malware, detected in June, show expanded capabilities that now include searching for recent documents, extracting VPN configuration files, and quietly exfiltrating that data to attacker-controlled Telegram channels. The timing of the campaigns, researchers say, appears to align closely with major geopolitical events, including negotiations between Ukraine and Russia held in Istanbul earlier this month.
First flagged by Ukraine’s Computer Emergency Response Team (CERT-UA) back in April, GIFTEDCROOK has been tied to phishing attacks aimed at law enforcement bodies, defense agencies, and local government offices. The threat group responsible—tracked as UAC-0226—is believed to be focusing on data theft rather than financial gain.
Many targets are first approached through emails that seem to be from trusted government departments or official contacts. These messages usually carry attachments—either spreadsheets or PDFs—that claim to contain information about things like enlistment procedures or fines. The trick lies in convincing the user to open the file and enable macros—something the document typically encourages. Once activated, this quietly launches a hidden process that executes the malicious code without the user’s knowledge.
The earliest versions of GIFTEDCROOK primarily harvested browser data—like cookies and stored login credentials from Chrome, Firefox, and Edge. But newer versions (identified as v1.2 and v1.3) introduced more complex functionality. Arctic Wolf’s analysis revealed that the malware now searches for a broad list of file types—such as .docx, .pdf, .xls, .csv, .eml, and .ovpn—modified in the past 45 days and under a certain size threshold.
Once collected, the files are encrypted and bundled into ZIP archives. If the size exceeds 20 MB, the data is divided into smaller segments before being uploaded to a private Telegram channel operated by the attackers. A self-deleting script is then executed to erase evidence of the breach from the infected system.
“This campaign shows all the hallmarks of a well-coordinated intelligence operation,” Arctic Wolf stated. “It’s less about credentials and more about strategic access to internal communications and classified planning documents.”
Further investigation revealed overlaps between GIFTEDCROOK’s phishing infrastructure and other malware delivery campaigns. In some instances, victims received NetSupport RAT—a legitimate tool misused for stealthy spying—hinting at collaboration between threat groups targeting Ukraine’s government. The phishing themes mirrored ongoing political events, exploiting martial law and mobilization chaos to boost clicks. One Excel lure, titled “List of Notified Military Personnel,” used a fake corruption warning to trick users into enabling macros, silently launching GIFTEDCROOK.
Security researchers describe the malware’s transition as “tactically significant.” In its newest form, GIFTEDCROOK is no longer just a digital pickpocket stealing saved browser logins—it now acts as a covert channel for intelligence collection. Its targets appear to be individuals with access to secure reports, network credentials, or communications within Ukrainian government systems.
With phishing remaining the primary method of infection, security experts are advising organizations—particularly those in public sector roles or defense—to implement stronger email protection systems and conduct regular awareness training. Arctic Wolf also recommends network monitoring for Telegram bot traffic, encrypted ZIP files, and file access patterns matching the malware’s behavior.
The campaign, still active as of late June, is expected to continue adapting. “This operation is ongoing,” said Arctic Wolf. “Each new version of GIFTEDCROOK shows increased precision, and we expect further evolution as attackers refine their tools and tactics.”
