GIFTEDCROOK Evolves: Arctic Wolf Labs Exposes Threat Group UAC-0226’s Espionage on Ukraine

In a major revelation, Arctic Wolf Labs has exposed a series of escalating cyber-espionage campaigns launched by the threat group UAC-0226, leveraging a stealthy and fast-evolving malware known as GIFTEDCROOK. Initially a simple browser data stealer, GIFTEDCROOK has morphed into a sophisticated surveillance tool designed for broad intelligence-gathering from Ukrainian government and military entities.

Arctic Wolf’s analysis reveals that the first version of GIFTEDCROOK appeared as early as February 2025, with upgrades (v1.2 and v1.3) developed rapidly through April to June 2025, strategically timed to coincide with Ukraine–Russia peace negotiations in Istanbul.

“Recent campaigns… demonstrate GIFTEDCROOK’s enhanced ability to exfiltrate a broad range of sensitive documents… suggesting a strategic focus on intelligence gathering,” the report states.

The infection chain begins with military-themed phishing emails, which spoof senders from Ukrainian cities such as Uzhhorod. These messages typically include weaponized PDFs that claim to discuss conscription updates, but in reality, lead to malware-laced documents hosted on Mega.nz.

“The malicious PDF lure announces the implementation of new procedures for military registration… containing a weaponised link to a Mega[.]nz-hosted file.”

One document even mimics a list of conscripted individuals with garbled fonts that prompt the victim to enable macros, a classic tactic for triggering payload execution.

Once macros are enabled, the document drops a portable executable (PE) disguised under the directory Infomaster, which stealthily begins extracting and organizing target files. This executable performs file discovery, encryption, compression, and exfiltration, using unique XOR keys and targeting specific file types including .docx, .pdf, .txt, .eml, .ovpn, and even browser secrets.

“Files are collected and exfiltrated by GIFTEDCROOK v1.3 if… under 7 MB and modified within the last 45 days.”

The stolen data is exfiltrated via Telegram bot APIs, with Arctic Wolf identifying distinct bot tokens for each implant variant.

“Each GIFTEDCROOK implant is assigned a unique bot identifier… the archive is then uploaded to a dedicated Telegram channel.”

The infostealer has undergone significant development across its versions. Version 1 primarily focused on stealing browser credentials, using unencrypted configurations and exfiltrating data via ZIP files. Version 1.2 marked a notable advancement, introducing the ability to collect files based on their extensions, implementing custom XOR string encryption, and expanding the range of targeted document types. A key security improvement in this version was the encryption of files before upload.

Version 1.3 integrated all the functionalities of its predecessors while adding new features designed to enhance stealth and efficiency. These additions included a 45-day file timestamp filter, increased maximum file size limits, and sleep evasion techniques to bypass sandbox detection.

The phishing email infrastructure overlaps with other known malware campaigns, suggesting coordinated efforts by multiple threat groups targeting Ukrainian assets. Some emails even led to NetSupport RAT infections, which are designed for remote control, stealth, and persistence.

Related Posts:

• Venom Spider Evolves: Arctic Wolf Exposes More_eggs Campaign Targeting HR
• Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
• CVE-2024-7399: Samsung MagicINFO Vulnerability Now Actively Exploited in the Wild
• Dire Wolf Ransomware: New Golang Threat Hits 11 Countries with Double Extortion & File Wiping
• C3RB3R Ransomware Strikes Again: Exploiting the Confluence Vulnerability