The GIFTEDCROOK malware, operated by the cyber-espionage group UAC-0226, has undergone a significant transformation from a basic browser data stealer to a sophisticated intelligence-gathering tool. This evolution occurred through rapid version updates between April and June 2025, aligning with critical geopolitical events like Ukraine’s peace negotiations in Istanbul.
Evolution of Capabilities
Initial version (v1)
Focused exclusively on stealing browser credentials (cookies, history, authentication data) from Chrome, Edge, and Firefox, exfiltrating data via Telegram bots.
Version 1.2 (early June 2025)
Introduced document harvesting, targeting files by extension (e.g., PDFs, spreadsheets, VPN configs). Key features included:
• Custom XOR encryption for strings
• Compression of stolen data into encrypted ZIP archives
• Focus on files modified within the last 15 days.
Version 1.3 (mid-June 2025)
Expanded data theft scope with:
• Broader file-type targeting (including administrative and proprietary documents)
• Increased file modification window (45 days, up from 15)
• Larger file size allowance (up to 7 MB)
• Splitting of data >20 MB to evade detection.
Deployment and Targets
Delivery method: Spear-phishing emails with military-themed PDF lures, often spoofing Ukrainian locations (e.g., Uzhhorod). These contain malicious Excel macros deploying the malware.
• Targets: Ukrainian governmental and military entities, with attacks timed to geopolitical events like martial law extensions and peace negotiations.
• Infrastructure: Shared email servers with other threat groups (e.g., NetSupport RAT campaigns), indicating coordinated operations.
Data Exfiltration Process
1. Harvested data (browser secrets + documents) is compressed into password-protected ZIP files.
2. Files split if exceeding 20 MB for stealth.
3. Exfiltration via Telegram bot channels.
4. Final batch script deletes malware traces.
Strategic Shift
The pivot to document-focused theft—prioritizing administrative files, VPN configurations, and military documents—reflects a deliberate shift toward cyber-espionage. This aligns with intelligence-gathering objectives during Ukraine’s heightened geopolitical tensions.
