What Is GIFTEDCROOK Malware and How Has It Evolved into a Major Cyber Espionage Tool in 2025?

GIFTEDCROOK malware has rapidly evolved from a basic browser credential stealer to a powerful intelligence-gathering tool targeting Ukrainian government and military agencies. This 2025 report explains its infection chain, data exfiltration methods, document theft capabilities, and how it aligns with geopolitical cyber warfare. Learn how to detect and defend against this growing malware threat.

  Security News & Threat Intelligence   Jun 30, 2025   36  Add to Reading List
What Is GIFTEDCROOK Malware and How Has It Evolved into a Major Cyber Espionage Tool in 2025?

Table of Contents

The GIFTEDCROOK malware—originally a proof‑of‑concept browser stealer—has rapidly morphed into a sophisticated intelligence‑gathering tool aligned with the Ukraine–Russia conflict. Recent June 2025 campaigns show it harvesting documents, images, VPN profiles, and more from Ukrainian government and military networks.‍

What Is GIFTEDCROOK and Who Runs It?

GIFTEDCROOK is linked to the threat cluster UAC‑0226, a group first flagged by CERT‑UA in April 2025 for phishing Ukraine’s military and law‑enforcement agencies with macro‑enabled Excel lures.‍The malware’s operators rely on:

  • Military‑themed phishing emails that appear official.

  • Macro‑laced Excel workbooks hosted on cloud drives (e.g., Mega).

  • Telegram channels for exfiltrating stolen ZIP archives and issuing commands.

How Did GIFTEDCROOK’s Capabilities Expand in 2025?

Early 2025 – Version 1 (Proof‑of‑Concept)

  • Stole cookies, browsing history, and saved credentials from Chrome, Edge, Firefox.

  • Exfiltrated data to Telegram in single ZIP payloads.

June 2025 – Versions 1.2 & 1.3

  • Added file‑system harvesting: grabs any file ≤ 7 MB created/modified in last 45 days.

  • Targeted extensions: .doc, .pdf, .xlsx, .jpeg, .ovpn, .sqlite, .zip and more.

  • Split archives > 20 MB into parts to dodge network filters.

  • Executes a self‑delete batch script to wipe traces post‑exfiltration.‍

 GIFTEDCROOK Version Evolution (Feb–Jun 2025)

Version / Date Primary Focus Key Additions Exfiltration Channel
v1 (Feb 2025) Browser‑only stealer Credential & cookie theft Telegram ZIP
v1.2 (Jun 2025) Mixed data theft File harvesting ≤ 7 MB; 45‑day filter; multi‑part ZIPs Telegram multi‑ZIP
v1.3 (Jun 2025) Intel collection Broader extension list (.ovpn, .sqlite); improved cleanup Telegram + batch wipe

How Does the Infection Chain Work?

  1. Phishing Email – Military‑style PDF lure with link to cloud‑hosted Excel (.xlsm).

  2. Macro Execution – Victim enables macros; embedded VBA downloads GIFTEDCROOK to %AppData%.

  3. Stealing Phase – Malware enumerates browsers, then scans documents < 7 MB.

  4. Packaging & Exfil – Data zipped, chunked, and pushed to adversary’s Telegram bot.

  5. Self‑Deletion – Batch script wipes binaries and logs to hinder forensic recovery.

Why it evades defenses: Many organizations still allow macro‑enabled Office docs in email workflows, and Telegram traffic often blends into normal encrypted traffic.

Who Is Being Targeted—and Why?

Arctic Wolf notes a strategic pivot toward Ukrainian governmental and military entities. The timing of campaigns coincides with high‑profile negotiations and troop movements, suggesting state‑aligned espionage motives.‍(arcticwolf.com) Stealing VPN configs (.ovpn) and recent office docs indicates a goal of reading internal briefs, operational plans, and secure‑communications details.

What Makes GIFTEDCROOK Hard to Detect?

  • Cloud Storage Delivery – Legitimate providers like Mega reduce reputation‑block effectiveness.

  • Telegram C2 – Encrypted messaging APIs skirt traditional proxy blocks.

  • File‑Size & Date Filters – Keeps payload small and relevant, minimizing noise.

  • Self‑Wipe Routine – Removes artifacts before EDR can collect evidence.

How Can Organizations Defend Against GIFTEDCROOK?

1. Disable or Strictly Sign Macros

Block unsigned macros by default; use Office Protected View for files from the internet.

2. Monitor Cloud‑Storage Links

Flag outbound requests to file‑sharing sites in phishing emails; sandbox downloads automatically.

3. Inspect Telegram Traffic

If Telegram isn’t business‑critical, proxy‑block its API domains; otherwise, DLP‑scan encrypted channels.

4. Enforce Least‑Privilege & EDR

Limit local admin rights; deploy EDR to flag unusual ZIP creation and Telegram command traffic.

5. Train High‑Risk Users

Warn military and government staff about macro‑enabled Excel threats and cloud‑hosted lures.

What’s Next for GIFTEDCROOK?

Given its modular design, future versions may:

  • Use geofenced commands to target other conflict zones.

  • Integrate screen‑capture or keylogging plug‑ins.

  • Shift to peer‑to‑peer C2 if Telegram channels are blocked.

Keeping visibility on file exfiltration patterns and tightening controls around macro execution remain top mitigation steps for 2025.

FAQ

What is GIFTEDCROOK malware?

GIFTEDCROOK is a cyber espionage tool originally developed as a browser stealer, now evolved to steal sensitive documents and intelligence from targeted systems.

Who is behind GIFTEDCROOK?

The malware is attributed to the threat actor group UAC-0226, active in campaigns targeting Ukraine’s government and military.

How does GIFTEDCROOK spread?

It spreads through phishing emails with macro-enabled Excel documents hosted on cloud storage platforms.

What are macro-enabled Excel documents?

These are Microsoft Excel files (.xlsm) that contain embedded macros—scripts that execute automated tasks, often exploited in malware campaigns.

What data does GIFTEDCROOK steal?

It steals browser credentials, cookies, and a wide range of files including documents, images, PDFs, spreadsheets, VPN configs, and emails.

Which browsers are targeted by GIFTEDCROOK?

It specifically targets Google Chrome, Mozilla Firefox, and Microsoft Edge for credential and cookie theft.

What file extensions does GIFTEDCROOK look for?

It scans for .doc, .pdf, .xls, .jpg, .eml, .ovpn, .zip, .sqlite, and other commonly used file types.

What size files does GIFTEDCROOK steal?

It targets files that are less than or equal to 7 MB and created or modified within the last 45 days.

How is the stolen data exfiltrated?

The data is zipped into archives and sent to attacker-controlled Telegram channels, often in small parts to avoid detection.

Why is Telegram used in this attack?

Telegram offers encrypted communication and is often overlooked by traditional security tools, making it an ideal command-and-control (C2) channel.

How does GIFTEDCROOK avoid detection?

It splits large ZIP files, uses trusted cloud platforms for delivery, and executes a script to delete itself after the operation.

What is the goal of the GIFTEDCROOK campaigns?

The goal appears to be strategic intelligence gathering from Ukrainian governmental and military bodies.

When was GIFTEDCROOK first discovered?

It was first documented by CERT-UA in April 2025, although it started as a demo in February 2025.

What geopolitical events are linked to this malware?

Campaigns align with negotiations and escalations in the Ukraine–Russia conflict, indicating possible state-aligned espionage.

How did GIFTEDCROOK evolve between versions?

It progressed from stealing browser data to stealing recent files and documents with highly targeted espionage functionality.

What organizations are at risk from GIFTEDCROOK?

Government agencies, military units, law enforcement, and any entity dealing with classified or sensitive information.

Can antivirus software detect GIFTEDCROOK?

Basic antivirus may miss it, especially if macros and Telegram exfiltration are not properly monitored. Advanced EDR is recommended.

What happens after the data is stolen?

The malware deletes itself using a batch script to erase traces from the infected system, reducing the chance of detection.

What is Arctic Wolf’s role in tracking GIFTEDCROOK?

Arctic Wolf Labs analyzed the malware's evolution and highlighted its intelligence-gathering capabilities in their June 2025 report.

Is this malware used for financial theft?

No, GIFTEDCROOK is not designed for financial gain; it's focused on cyber espionage and intelligence exfiltration.

What is CERT-UA?

The Computer Emergency Response Team of Ukraine (CERT-UA) is Ukraine's national authority for detecting and mitigating cyber threats.

What are .ovpn files and why are they targeted?

.ovpn files are VPN configuration files; stealing them helps attackers gain access to secure internal networks.

How can organizations defend against GIFTEDCROOK?

Block macros by default, monitor for suspicious Excel files, inspect Telegram traffic, and train users on phishing detection.

What is the infection vector for GIFTEDCROOK?

The primary infection method is phishing emails that link to macro-enabled Excel files disguised as official documents.

Does GIFTEDCROOK impact cloud environments?

Yes, by stealing VPN and credential data, it can provide attackers access to cloud and hybrid infrastructure.

What is the role of phishing in GIFTEDCROOK infections?

Phishing is the main method of entry, relying on fake documents and cloud links to lure users into enabling macros.

What happens if the stolen archive is too large?

If the archive exceeds 20 MB, the malware splits it into smaller chunks to bypass detection and network limitations.

Is GIFTEDCROOK a new malware family?

It is relatively new, but its rapid evolution and effectiveness make it a serious threat on the global cyber warfare stage.

Why is GIFTEDCROOK considered a threat to national security?

It specifically targets government and military institutions, steals sensitive data, and aligns with geopolitical objectives.

What lessons can cybersecurity teams learn from this malware?

Teams should focus on document exfiltration patterns, enforce strict macro policies, and enhance detection of cloud and encrypted traffic.

Join Our Upcoming Class!

Tags