The threat actors behind the GiftedCrook malware have made important updates to transform malicious programs from basic browser data steelers into powerful intelligence gathering tools.
“The recent campaign in June 2025 shows that it strengthens its talented ability to remove a wide range of sensitive documents from targeted personal devices, including potentially unique files and browser secrets,” Arctic Wolf Labs said in a report published this week.
“This change in functionality, combined with the contents of the fishing rack, […] It proposes a strategic focus on intelligence newsletters from Ukrainian government and military groups. ”
GiremedCrook was first documented in early April 2025 by the Ukrainian Computer Emergency Response Team (CERT-UA) in connection with a campaign targeting military entities, law enforcement and local autonomous organizations.
Activities caused by hacking groups tracking as UAC-0226 include the use of phishing emails that contain Microsoft Excel documents for macro races that act as conduits for deploying GiftedCrook.
Core information stealing malware is designed to steal cookies, browsing history and authentication data from popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
An analysis of Arctic Wolf artifacts revealed that Steeler began as a demo in February 2025 and later acquired new features in versions 1.2 and 1.3.
These new iterations include the ability to harvest documents and files that are less than 7 MB in size, particularly looking for files that have been created or modified within the last 45 days. Malware specially searches for the following extensions: .doc, .docx, .rtf, .pptx, .ppt, .csv, .xls, .xlsx, .jpeg, .jpg, .png, .pdf, .odt, .rar, .zip, .eml, .txt, .txt, .txt, .txt.
Email campaigns leverage military-themed PDF lures to tempt users to click on the Mega cloud storage link that hosts a macro-enabled Excel workbook (“Academy”) (“GiftedCrook downloaded when recipients turn on macros. Many users are unaware of how macro-enabled Excel files are common in phishing attacks. People often expect work emails, especially spreadsheets that look official or government-related, so they slip past defenses.
The captured information is bundled in a zip archive and stretched to an attacker-controlled telegram channel. If the total archive size exceeds 20 MB, it is classified into multiple parts. By sending stolen ZIP archives in small chunks, GilevedCrook avoids detection and skipping around traditional network filters. In the final stage, a batch script is executed to clear the steeler traces from the compromised host.
This not only steals passwords and tracks online behavior, but also provides targeted cyberspy. New features of malware that sift through recent files such as PDFs, spreadsheets, and even VPN configurations and grab documents refer to the bigger goal: collecting intelligence. For those who work in public sector roles or handle sensitive internal reports, this type of document steeler poses real risks not only to individuals but to the entire connected network.
“The timing of the campaign discussed in this report shows a clear alignment with geopolitical events, particularly recent negotiations between Istanbul and Russia,” Arctic Wolf said.
“The progression from a simple qualification theft of GiftedCrook version 1 to a comprehensive documentation and data removal for versions 1.2 and 1.3 reflects coordinated development efforts in which malware features enhance data collection from Ukrainian breach systems according to geopolitical purposes.”
Source link
