Ukrainian Cybersecurity Watchdog Issues Warning on Sophisticated Espionage Campaign

In a recent alert, CERT-UA, Ukraine’s cybersecurity watchdog, issued a strong warning regarding a complex espionage campaign targeting various military, law enforcement, and local government organizations in Ukraine. The campaign, attributed to the cybercriminal group UAC-0226, leverages malicious documents to deploy malware aimed at stealing sensitive information.

The campaign, active since at least February 2025, employs sophisticated social engineering tactics and custom-designed Excel macros to deliver the GIFTEDCROOK malware, which facilitates remote data exfiltration. Here’s a detailed breakdown of the attack vector and the measures organizations should take to protect themselves.

the Espionage Campaign

CERT-UA has identified UAC-0226 as the threat actor behind this ongoing cyber espionage campaign. The group is focused on military innovation centers, local law enforcement bodies, and government offices, specifically targeting Ukrainian entities.

The attackers begin their campaign by sending phishing emails that appear to be legitimate communications from Ukrainian government agencies. These emails often contain attachments such as administrative fines, UAV product catalogs, demining plans, and compensation reports for property damage, all of which appear authentic but are designed to deceive the recipient into interacting with malicious content.

The core of the attack revolves around Excel files (.xlsm), which are macros-enabled spreadsheets. These spreadsheets contain embedded Visual Basic for Applications (VBA) macros that, when enabled by the user, run malicious code. The macros decode base64-encoded strings embedded within the spreadsheet cells and drop an executable file to the system without an extension, helping the malware evade detection.

Once the malicious file is executed, it is placed in a hidden directory (e.g., %PROGRAMDATA%\Svchost) and triggers two distinct payloads:
1. PowerShell Reverse Shell: This payload runs a PowerShell script that establishes a reverse shell to the attacker’s command-and-control server, allowing remote access to the compromised system.
2. GIFTEDCROOK Stealer: This second payload, written in C/C++, extracts sensitive browser data (cookies, saved passwords, and browsing history) from popular browsers like Chrome, Firefox, and Edge. The stolen data is sent to the attacker via Telegram or over the Internet, where it can be further exploited.

The malware uses Telegram as an exfiltration channel, bypassing traditional detection systems by leveraging encrypted messaging to transfer the stolen data.

What Undercode Says:

The cyberattack attributed to UAC-0226 marks a disturbing escalation in the use of targeted malware campaigns. As cybercriminals become more sophisticated, they are increasingly relying on social engineering tactics to manipulate individuals into executing malicious code. The use of Excel macros, a long-known vulnerability, continues to be one of the most effective techniques for distributing malware. What makes this campaign particularly alarming is the combination of various strategies: phishing emails, social engineering, hidden payloads, and the use of encrypted messaging for data exfiltration.

From an analytical standpoint, the effectiveness of this attack lies in its reliance on human error. By leveraging trusted government themes, the attackers are able to bypass initial skepticism and convince the victim to engage with the malicious file. Additionally, the use of a reverse shell and a stealer malware like GIFTEDCROOK further complicates detection efforts, as it enables continuous access to the compromised systems.

This espionage campaign also highlights a broader cybersecurity challenge that many governments and organizations face: the difficulty in preventing sophisticated social engineering attacks. Unlike traditional malware that can be caught by signature-based detection systems, these attacks require a more comprehensive approach to cybersecurity that includes user training, phishing detection mechanisms, and the monitoring of network traffic for unusual behavior patterns.

The Role of Telegram in Malware Exfiltration

The use of Telegram as a communication channel in this attack is noteworthy. Telegram has become increasingly popular among cybercriminals due to its strong encryption and the ability to send data without traditional internet service providers’ oversight. The attackers can use Telegram as an undetectable exfiltration method, making it harder for security systems to spot and block outgoing data.

Interestingly, this trend points to a wider shift in how malware is being designed to evade detection. Telegram’s end-to-end encryption and its ability to handle large volumes of data make it an appealing choice for cybercriminals, ensuring that stolen information remains secure and under the control of the attackers.

What Organizations Can Do

CERT-UA has provided recommendations for organizations to defend against this threat. These include ensuring that macros in documents are disabled by default, educating employees on the dangers of phishing attacks, and utilizing advanced threat detection systems that can identify abnormal network activity. Implementing endpoint detection and response (EDR) solutions can help spot unusual behavior, while enhancing system monitoring to track file changes and network connections is critical for identifying suspicious activity.

Moreover, organizations are encouraged to stay updated with the latest cybersecurity best practices and to conduct regular security audits to identify vulnerabilities before they can be exploited. Given the increasing sophistication of cyber threats, multi-layered defense strategies will be essential in protecting sensitive government and military data.