Listen to this Post
UAC-0226 Unleashes a Stealthier GIFTEDCROOK Malware Campaign Using WinRAR Zero-Day Exploits to Target Military Intelligence
Introduction: A New Generation of Silent Cyber Espionage
Cyber espionage continues to evolve at an alarming pace, and threat actors are no longer relying on simple phishing emails or obvious malware attachments. Modern attacks are carefully engineered to remain invisible while exploiting trusted software and user habits. A newly observed campaign linked to the UAC-0226 threat group demonstrates exactly how sophisticated these operations have become. By weaponizing WinRAR archives and abusing recently disclosed vulnerabilities, the attackers have significantly enhanced the capabilities of the infamous GIFTEDCROOK information stealer.
The latest campaign specifically targets Ukrainian military personnel involved in reconnaissance operations and unmanned aerial vehicle (UAV) missions. Instead of demanding ransomware payments or immediately revealing malicious activity, the attackers quietly infiltrate victim systems, establish persistence, and harvest highly sensitive credentials, browser data, military documents, and proprietary information without triggering traditional security alerts.
Campaign Overview: Military-Themed Lures Designed for Maximum Credibility
The attack begins with a carefully crafted WinRAR archive containing what appears to be a legitimate military document. Victims are presented with a realistic PDF discussing fiber-optic drones, military operations, and personnel ranks, making the decoy particularly convincing for individuals working within defense environments.
Unlike previous GIFTEDCROOK campaigns that depended on users manually opening extracted files, this version dramatically improves operational stealth. Simply extracting the malicious archive is enough to initiate the compromise chain thanks to recently discovered WinRAR path traversal vulnerabilities.
This subtle change greatly increases the
Exploiting WinRAR Vulnerabilities for Silent Persistence
The malware abuses two recently disclosed vulnerabilities:
CVE-2025-8088
CVE-2025-6218
These flaws allow specially crafted archives to perform path traversal operations during extraction.
Rather than dropping files into the visible extraction folder, the archive silently places a malicious shortcut inside the Windows Startup directory. The shortcut remains unnoticed while ensuring that malware executes automatically after the next user login.
Additional hidden payload components are stored within the Local Application Data directory, where they remain concealed until activated.
The campaign also leverages NTFS Alternate Data Streams (ADS), a Windows filesystem feature commonly abused by advanced threat actors to hide malicious content from users and many security products.
Multi-Stage Infection Chain Evades Traditional Detection
After reboot or user login, the malicious Startup shortcut launches a minimized Command Prompt session.
This process immediately executes an invisible PowerShell instance, which begins reconstructing the malware entirely in memory.
Instead of executing an obvious executable file, the PowerShell loader performs multiple decoding operations before rebuilding a headerless Portable Executable (PE) image directly inside memory.
By avoiding conventional executable files on disk, the attackers significantly reduce opportunities for antivirus software to detect malicious behavior.
The reflective loader exported through Main.dll!A manually maps the malware into memory without relying on standard Windows loader mechanisms.
Massive PowerShell Obfuscation Complicates Analysis
One of the
Researchers discovered thousands of lines of meaningless generated code inserted solely to overwhelm analysts and automated detection engines.
The script includes:
Random variable names
Unused helper functions
Artificial code blocks
Excessive junk instructions
These techniques dramatically increase reverse engineering complexity while hiding the true execution flow.
Security researchers performing static analysis must first remove large amounts of intentionally misleading code before understanding the malware’s actual behavior.
Native Windows APIs Are Dynamically Resolved
Rather than calling suspicious Windows APIs directly, the malware dynamically discovers important native functions through .NET Reflection.
Among the recovered APIs are:
NtAllocateVirtualMemory
NtCreateThreadEx
These APIs are commonly used during advanced process injection.
Because the function names never appear directly inside the script, many endpoint detection products fail to identify typical injection signatures.
This represents another layer of stealth specifically designed to bypass behavioral security solutions.
Memory-Only Execution Reduces Digital Footprints
Instead of writing a traditional executable to disk, GIFTEDCROOK reconstructs itself entirely inside memory.
This fileless approach offers several advantages:
Minimal forensic artifacts
Reduced antivirus detection
Faster execution
Greater resistance against incident response investigations
Memory-only malware has become increasingly popular among advanced persistent threat (APT) groups because it leaves significantly fewer traces after execution.
Credential Theft Targets Multiple Browsers
Once fully deployed, GIFTEDCROOK aggressively begins collecting sensitive information from infected systems.
Dedicated modules focus on extracting credentials from several popular browsers including:
Google Chrome
Microsoft Edge
Opera
Mozilla Firefox
For Chromium-based browsers, the malware targets Windows Data Protection API (DPAPI) encrypted secrets to recover saved passwords, authentication tokens, and stored credentials.
Firefox users are also heavily targeted, with malware extracting:
Login databases
Key storage
Session cookies
Browser profiles
These stolen credentials can later be abused for lateral movement, espionage, or access to classified systems.
Internal Encryption Protects the Malware Itself
The attackers did not simply encrypt their payload using conventional techniques.
Instead, internal strings are protected using an RC4-like stream cipher specifically adapted for UTF-16 encoded data.
This unusual implementation complicates automated malware analysis since many standard decryption tools expect traditional 8-bit encryption methods.
Combined with reflective loading and memory-only execution, the encryption significantly slows reverse engineering efforts.
Indicators of Compromise (IoCs)
Researchers identified the following malicious file hashes associated with the campaign:
Type Value Description
SHA-256 420f1931af9b3f7d02c5edfc78eb69abdad6e71d2c3e9b81f9cbc3823a503654 Weaponized WinRAR archive
SHA-256 dc4c906e56ecb446cbb10b227e1fb470e428108584678314533d80e52a2b9b30 Military-themed decoy PDF
Researchers intentionally defanged network indicators, replacing “.” with “[.]” to prevent accidental communication with attacker infrastructure. These indicators should only be restored within controlled threat intelligence environments such as MISP, VirusTotal, or enterprise SIEM platforms.
Deep Analysis: Defensive Investigation and Threat Hunting Commands
Modern campaigns like GIFTEDCROOK require defenders to go beyond traditional antivirus scans. Linux remains an excellent platform for malware investigation, forensic analysis, and indicator hunting.
Linux Threat Hunting
sha256sum suspicious_file.zip file suspicious_file.zip strings suspicious_file.zip | less binwalk suspicious_file.zip exiftool suspicious.pdf yara malware_rules.yar suspicious_file
clamscan -r .
find / -name ".lnk"
grep -Ri powershell .
hexdump -C suspicious.bin | less
objdump -x payload.dll
readelf -a sample
xxd payload.bin
volatility -f memory.raw windows.pslist volatility -f memory.raw windows.malfind volatility -f memory.raw windows.netscan volatility -f memory.raw windows.cmdline tcpdump -i any wireshark suricata -r capture.pcap
Windows defenders should additionally inspect Startup folders, PowerShell logs, Event Viewer entries, Scheduled Tasks, registry Run keys, NTFS Alternate Data Streams, and memory artifacts while monitoring suspicious child processes spawned by explorer.exe or cmd.exe.
What Undercode Say:
The latest GIFTEDCROOK campaign illustrates how modern cyber espionage is steadily shifting away from noisy malware toward highly covert, memory-resident operations.
Rather than inventing entirely new malware, attackers continue refining existing families with improved stealth techniques.
Abusing trusted software like WinRAR increases infection success because users rarely suspect archive extraction alone can trigger compromise.
The use of military-themed decoys demonstrates careful intelligence gathering before launching attacks.
Target selection suggests espionage remains the primary objective rather than financial gain.
NTFS Alternate Data Streams continue to be under-monitored within many enterprise environments.
Memory-only malware drastically complicates forensic investigations.
PowerShell remains one of the most abused administrative tools in Windows.
Heavy script obfuscation forces defenders to spend considerably more time during incident response.
Reflective DLL loading bypasses numerous legacy security controls.
Dynamic API resolution reduces signature-based detection effectiveness.
The
Browser credential theft remains one of the most valuable objectives for attackers.
Firefox continues to receive attention despite Chromium dominating the browser market.
DPAPI abuse has become almost standard among information stealers.
Organizations should assume browser-stored passwords are high-risk assets.
Startup folder persistence remains surprisingly effective.
Least-privilege policies reduce malware impact.
Application allow-listing can significantly disrupt PowerShell abuse.
Behavioral monitoring is increasingly more valuable than static signatures.
Memory scanning should become a routine defensive practice.
Endpoint Detection and Response (EDR) platforms remain critical against fileless attacks.
Threat hunting teams should actively inspect hidden startup mechanisms.
Routine patch management would have reduced exposure to the exploited WinRAR vulnerabilities.
Organizations should educate users that trusted document formats are no longer inherently safe.
Archive extraction itself should be treated as a potentially dangerous action.
Monitoring PowerShell child processes is essential.
Reflective loading continues to be favored by advanced threat actors.
Threat intelligence sharing accelerates defensive response.
Hash-based blocking remains useful but is insufficient on its own.
YARA detection should focus on behavior as much as static indicators.
Incident responders should prioritize volatile memory collection.
Network segmentation can reduce post-compromise movement.
Credential rotation should follow every confirmed browser compromise.
Zero-day exploitation windows continue shrinking as attackers weaponize vulnerabilities faster.
Organizations must adopt layered defenses rather than relying solely on antivirus software.
Continuous security awareness training remains indispensable.
Modern espionage campaigns increasingly prioritize persistence over speed.
The sophistication of this operation indicates well-funded development efforts.
Cyber defense today is less about preventing every intrusion and more about detecting adversaries before they accomplish their objectives.
✅ Confirmed: The campaign exploits recently disclosed WinRAR path traversal vulnerabilities to silently establish persistence without requiring victims to manually execute extracted malware.
✅ Confirmed: GIFTEDCROOK uses advanced PowerShell obfuscation, reflective DLL loading, dynamic API resolution, and memory-only execution to evade modern endpoint detection systems.
✅ Confirmed: The malware actively steals browser credentials, cookies, stored passwords, and sensitive documents from Chromium-based browsers and Firefox, making compromised systems a significant intelligence risk.
Prediction
(+1) 🛡️ Security vendors will rapidly improve detection rules for reflective PowerShell loaders, NTFS Alternate Data Streams abuse, and memory-only malware techniques, reducing the effectiveness of similar campaigns over time.
(-1) ⚠️ Threat actors are likely to continue weaponizing newly disclosed archive utility vulnerabilities and combining them with increasingly sophisticated fileless malware, making targeted espionage attacks even more difficult to detect before valuable data is stolen.
▶️ Related Video (78% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
