Ukrainian government organizations are facing a sophisticated new cyber threat as threat actors deploy the recently discovered GIFTEDCROOK stealer malware to harvest sensitive data. Since February 2025, security researchers have been monitoring this concerning cyber-espionage campaign targeting military innovation hubs, armed forces units, law enforcement agencies, and local government entities, with a particular focus on institutions near Ukraine’s eastern border. Initial compromise occurs through sophisticated phishing attacks utilizing macro-enabled Excel documents (.xlsm) with carefully crafted social engineering lures related to landmine clearance, administrative fines, drone production, and compensation for damaged property. On April 6, 2025, CERT-UA released security alert CERT-UA#14303, warning of this persistent threat designed to extract valuable data from compromised systems. SOCPrime researchers identified that the GIFTEDCROOK malware is part of a broader pattern of cyber-espionage activities targeting Ukraine, with other groups like UAC-0200 and UAC-0219 also increasing their operations throughout spring 2025. According to CERT-EU’s annual Threat Landscape Report, 44% of reported incidents in 2024 were linked to cyber espionage or prepositioning tactics typically attributed to state-sponsored actors[1]. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attacks primarily focus on stealing browser data, including saved credentials, cookies, and browsing history from popular browsers including Chrome, Edge, and Firefox. The threat actors further complicate attribution and detection by sending phishing emails from previously compromised accounts, including webmail services. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These specially crafted documents contain concealed malicious code that, when executed, establishes persistence and begins the data theft process. The campaign, attributed to a threat actor tracked as UAC-0226, represents a significant escalation in targeted intelligence-gathering operations against Ukrainian critical infrastructure. The GIFTEDCROOK infection chain employs a multi-stage process that begins with phishing emails containing malicious Excel attachments. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The compressed data is then exfiltrated through Telegram channels, making detection challenging as this traffic often blends with legitimate messaging activity.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 09 Apr 2025 12:00:13 +0000