GIFTEDCROOK Malware
The malware known as GIFTEDCROOK has undergone a significant transformation. Originally designed as a basic browser data stealer, it has now matured into a sophisticated espionage tool with a strategic focus. Recent campaigns observed in June 2025 reveal an alarming enhancement: the malware now targets sensitive documents and proprietary files from compromised devices, particularly those belonging to the Ukrainian government and military personnel.
Table of Contents
A Targeted Assault on Ukrainian Institutions
GIFTEDCROOK was first discovered in April 2025, when researchers linked it to phishing campaigns aimed at military entities, law enforcement agencies, and local government bodies in Ukraine. These campaigns are attributed to the threat actor group UAC-0226, which leverages macro-laced Microsoft Excel documents to deliver the malware payload via phishing emails.
The phishing messages often mimic official communications, using military-themed PDF lures to trick recipients into clicking a Mega cloud storage link. This link hosts a macro-enabled Excel file titled ‘Список оповіщених військовозобов'язаних організації 609528.xlsm’. Once macros are enabled, GIFTEDCROOK is silently downloaded to the target system.
What GIFTEDCROOK Steals: Expanding Its Reach
At its core, GIFTEDCROOK remains an information stealer. Initially focused on extracting browser data, the malware is designed to collect cookies, browsing history, and authentication credentials from major browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
Over time, however, GIFTEDCROOK’s capabilities have significantly expanded. Starting as a demo variant in February 2025, newer versions 1.2 and 1.3 introduced powerful data exfiltration features, particularly the ability to target files under 7 MB in size and modified within the last 45 days.
New Targets: Sensitive Files and Internal Docs
The enhanced malware specifically searches for files with the following extensions:
Documents and Presentations: .doc, .docx, .rtf, .ppt, .pptx, .pdf, .odt
Spreadsheets and Data Files: .csv, .xls, .xlsx, .ods
Archives and Texts: .rar, .zip, .eml, .txt
Images and Configs: .jpeg, .jpg, .png, .sqlite, .ovpn
This shift in focus, from browser credentials to recent and relevant documents, underscores GIFTEDCROOK’s role in targeted intelligence gathering.
Exfiltration Methods: Staying Under the Radar
Once the malware collects the desired files, it compresses the stolen data into a ZIP archive. If the archive exceeds 20 MB, it is split into smaller parts. These fragments are exfiltrated via a Telegram channel controlled by the attackers, a method that helps evade detection and bypass traditional network security tools.
To cover its tracks, a batch script is executed in the final stage, removing evidence of the malware from the infected host.
Strategic Espionage, Not Just Theft
GIFTEDCROOK is not merely a credential stealer, it is a cyber espionage tool. Its capacity to harvest recent and sensitive documents such as spreadsheets, PDFs, and VPN configurations indicates a deliberate intent to extract intelligence from public sector workers and internal systems. The risks are substantial: any individual compromise may endanger entire institutional networks.
Geopolitical Timing and Coordinated Development
The malware’s deployment aligns with geopolitical flashpoints, notably the Istanbul negotiations between Ukraine and Russia. This correlation suggests that GIFTEDCROOK’s enhancements were not coincidental but part of a coordinated development strategy aimed at expanding surveillance capabilities in line with political events.
Conclusion: A Growing Threat That Mirrors Global Tensions
The evolution of GIFTEDCROOK, from a modest browser data thief to a full-spectrum espionage platform, mirrors the increasing complexity of cyber threats facing national institutions. The malware’s version progression, paired with well-crafted phishing tactics and intelligent data collection, reflects the adversary’s clear intent to weaponize digital intrusions for strategic gains. Anyone in a position of handling sensitive information must remain vigilant, this is no longer just about stolen passwords, but information warfare in digital form.
