The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

GIFTEDCROOK Stealer Targets Ukraine

Apr 14, 2025 2:00:22 PM / by The Hivemind

GIFTEDCROOKVerticals Targeted: Military, Law Enforcement, Government
Regions Targeted: Ukraine

Executive Summary

The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a new phishing campaign by UAC-0226, deploying the GIFTEDCROOK stealer through malicious Excel files to compromise Ukrainian institutions. This operation targets sensitive data from military, law enforcement, and local government entities, leveraging socially engineered lures for execution.

Key Takeaways

  • Phishing emails with macro-enabled Excel files (XLSM) distribute GIFTEDCROOK, a C/C++-based stealer, and a PowerShell reverse shell.  
  • The malware targets browser data, including cookies and authentication credentials, from Chrome, Edge, and Firefox.  
  • UAC-0226 uses compromised email accounts to enhance the legitimacy of its phishing attempts.  
  • The campaign focuses on Ukrainian institutions, exploiting topics like demining and UAV production.

What is GIFTEDCROOK?

An espionage operation orchestrated by UAC-0226 is targeting Ukraine using a novel information-stealing malware dubbed GIFTEDCROOK. This campaign, active as of April 2025, leverages phishing emails to distribute malicious Microsoft Excel spreadsheets aimed at Ukrainian military formations, law enforcement agencies, and local government bodies. The attack vector hinges on macro-enabled documents, a technique that remains effective against organizations with lax security controls. A recent alert from CERT-UA sheds light on this activity. 

The infection chain begins with phishing emails crafted to appear legitimate, often sent from compromised accounts via webmail interfaces. Subject lines and file names reference pressing regional issues, such as demining efforts, administrative fines, UAV production, and property compensation, and are tailored to deceive recipients into enabling macros. Once activated, the XLSM files deploy two distinct payloads. 

The first payload is a PowerShell script sourced from the publicly available PSSW100AVB GitHub repository, designed to establish a reverse shell for persistent access. The second, GIFTEDCROOK, is a previously undocumented stealer written in C/C++, engineered to harvest sensitive data from web browsers including Google Chrome, Microsoft Edge, and Mozilla Firefox. Its capabilities include extracting cookies, browser history, and authentication credentials, which are then exfiltrated to the attackers.

Technical analysis reveals GIFTEDCROOK’s efficiency in targeting browser-stored data, a critical asset for espionage-driven operations. The malware’s reliance on C/C++ suggests a focus on performance and evasion. The PowerShell component, meanwhile, underscores the attackers’ preference for living-off-the-land tactics, minimizing the footprint of custom tooling. This dual-payload approach amplifies the campaign’s impact, enabling both data theft and potential lateral movement within compromised networks.

By hijacking legitimate email accounts, the group enhances the credibility of the phishing lures, a strategy that complicates detection for both end-users and security teams. While the threat cluster’s attribution to a specific nation-state remains unconfirmed, its focus on Ukrainian institutions near the eastern border hints at geopolitical motives. PolySwarm analysts consider GIFTEDCROOK to be an emerging threat. 

Who is UAC-0226?

UAC-0226 emerged as a notable cyber threat in February 2025, identified by Ukraine’s CERT-UA for its focused espionage operations against critical sectors within the country. The group’s tactics center on phishing campaigns that exploit topical lures in order to trick users into enabling macros in malicious Excel spreadsheets. UAC-0226’s tactics reflect a calculated effort to exploit trust and urgency. The group targets Ukrainian military units, law enforcement agencies, and innovation hubs, particularly near the eastern border of Ukraine.

IOCs

PolySwarm has multiple samples associated with this activity.

 

a02506468e632875a2c9c9c16e730b8bdc52f7450b28ee7bd8f5ac014b264e53

58b38775f655498b134ce8cd52ab0aba05b710f7611e41cbdffdc3597c5d5f3d

8427dc6e7da4c163d20c7f188232cf3f83c78ddb6fcad04cec84b33e0f9bdfc0

78ea83bfbca85a39e59fa35c8f704873f3fdad3a5278430e75286247530042b8

0a4777725673f9f7114ddceddd80e5a72ad3a4d20fd2014d4c60e2cc1a6cefc2

7ca3f2505e1778e6de3927571ba49d27b36447e6c28a60161d55fd2254966bce

24a60e50ed8469fc31afa9abfc361291f72922430cf062bf9c4ac7e6d84b5fad

2930ad9be3fec3ede8f49cecd33505132200d9c0ce67221d0b786739f42db18a

c8bb0dbc952c9dc2bbc550a300ed033ad5d2416390891ed1e800b08ad3ab5d3a

530185fac69e756fb62f23e21e7c0b0828a964b91bbf40f1d04fc2136c1b6dd1

c27cf714293c496c8fc05b330a57bcfcb6189267e2818062660de88b0f3a25cd

 

You can use the following CLI command to search for all GIFTEDCROOK samples in our portal:

$ polyswarm link list -f GiftedCrook

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

Topics: Ukraine, Threat Bulletin, Espionage, Stealer, Infostealer, GiftedCrook

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More