What began as version 1 focused solely on browser data theft has evolved through versions 1.2 and 1.3 to encompass comprehensive document exfiltration capabilities, targeting sensitive governmental and military information from Ukrainian institutions. The targeted file extensions include standard office documents (.doc, .docx, .pptx), multimedia files (.jpeg, .png), archives (.rar, .zip), and notably OpenVPN configuration files (.ovpn), indicating specific interest in network access credentials. These documents, distributed via email with spoofed Ukrainian locations, particularly Uzhhorod in Western Ukraine, contain weaponized links to cloud-hosted files that ultimately deploy the GIFTEDCROOK payload. The cyber-espionage landscape targeting Ukraine has witnessed a significant evolution with the transformation of GIFTEDCROOK malware from a rudimentary browser credential stealer into a sophisticated intelligence-gathering platform. The threat actors employ sophisticated social engineering tactics, crafting convincing documents about military registration procedures and administrative fines to deceive targets into enabling malicious macros. Initially discovered as a basic infostealer in early 2025, this malware has undergone strategic enhancements that align closely with geopolitical events, particularly coinciding with the June 2025 Ukraine peace negotiations in Istanbul. Arctic Wolf analysts identified the malware’s progression during their investigation of spear-phishing campaigns that employed military-themed PDF lures, specifically targeting Ukrainian governmental and military personnel. Files exceeding 20 MB are automatically split into sequential parts (.01, .02) for efficient upload to designated Telegram channels, demonstrating the threat actors’ consideration for practical exfiltration limitations. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The threat group UAC-0226, responsible for GIFTEDCROOK’s development and deployment, has demonstrated remarkable adaptability by releasing three distinct versions between April and June 2025. The exfiltration mechanism leverages Telegram’s API endpoints, with specific bot tokens like hxxps://api[.]telegram[.]org/bot7726014631:AAFe9jhCMsSZ2bL7ck35PP30TwN6Gc3nzG8/sendDocument facilitating secure data transmission. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The timing of these attacks, strategically positioned around critical diplomatic negotiations, suggests coordinated intelligence operations designed to gather sensitive information during pivotal geopolitical moments. Technical analysis reveals the malware’s use of custom XOR encryption algorithms to secure collected data before exfiltration. GIFTEDCROOK version 1.3 showcases the malware’s enhanced capabilities through its comprehensive file collection strategy and persistence mechanisms.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 27 Jun 2025 14:55:09 +0000