![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![GrandChase tier list of the best characters available [April 2025]](https://media.pocketgamer.com/artwork/na-33057-1637756796/grandchase-ios-android-3rd-anniversary.jpg?#)
.webp?#)
![Here’s everything new in Android 16 Beta 4 [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/11/Android-16-logo-top-down.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=logo}
![New Beats USB-C Charging Cables Now Available on Amazon [Video]](https://www.iclarified.com/images/news/97060/97060/97060-640.jpg)
![Apple M4 13-inch iPad Pro On Sale for $200 Off [Deal]](https://www.iclarified.com/images/news/97056/97056/97056-640.jpg)
New GIFTEDCROOK Stealer Attacking Government Orgs To Steal Sensitive Data
Ukrainian government organizations are facing a sophisticated new cyber threat as threat actors deploy the recently discovered GIFTEDCROOK stealer malware to harvest sensitive data. Since February 2025, security researchers have been monitoring this concerning cyber-espionage campaign targeting military innovation hubs, armed forces units, law enforcement agencies, and local government entities, with a particular focus on […] The post New GIFTEDCROOK Stealer Attacking Government Orgs To Steal Sensitive Data appeared first on Cyber Security News.
Ukrainian government organizations are facing a sophisticated new cyber threat as threat actors deploy the recently discovered GIFTEDCROOK stealer malware to harvest sensitive data.
Since February 2025, security researchers have been monitoring this concerning cyber-espionage campaign targeting military innovation hubs, armed forces units, law enforcement agencies, and local government entities, with a particular focus on institutions near Ukraine’s eastern border.
The campaign, attributed to a threat actor tracked as UAC-0226, represents a significant escalation in targeted intelligence-gathering operations against Ukrainian critical infrastructure.
On April 6, 2025, CERT-UA released security alert CERT-UA#14303, warning of this persistent threat designed to extract valuable data from compromised systems.
The attacks primarily focus on stealing browser data, including saved credentials, cookies, and browsing history from popular browsers including Chrome, Edge, and Firefox.
Initial compromise occurs through sophisticated phishing attacks utilizing macro-enabled Excel documents (.xlsm) with carefully crafted social engineering lures related to landmine clearance, administrative fines, drone production, and compensation for damaged property.
These specially crafted documents contain concealed malicious code that, when executed, establishes persistence and begins the data theft process.
SOCPrime researchers identified that the GIFTEDCROOK malware is part of a broader pattern of cyber-espionage activities targeting Ukraine, with other groups like UAC-0200 and UAC-0219 also increasing their operations throughout spring 2025.
According to CERT-EU’s annual Threat Landscape Report, 44% of reported incidents in 2024 were linked to cyber espionage or prepositioning tactics typically attributed to state-sponsored actors[1].
Infection Mechanism Analysis
The GIFTEDCROOK infection chain employs a multi-stage process that begins with phishing emails containing malicious Excel attachments.
These documents contain base64-encoded payloads embedded directly within Excel cells, making them difficult to detect through conventional means.
When a user enables macros, the embedded VBA code executes, decodes the payload, and saves it to disk without file extensions to evade detection.
Two distinct malware variants have been observed in these attacks. The first is a .NET-based tool that embeds a PowerShell reverse shell script sourced from a public GitHub repository identified as PSSW100AVB.
The second variant, GIFTEDCROOK itself, is written in C/C++ and specifically targets browser data. After collection, the malware utilizes PowerShell’s native compression capabilities with a command similar to:-
Compress-Archive -Path $StolenDataPath -DestinationPath $ArchivePathThe compressed data is then exfiltrated through Telegram channels, making detection challenging as this traffic often blends with legitimate messaging activity.
The threat actors further complicate attribution and detection by sending phishing emails from previously compromised accounts, including webmail services.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
The post New GIFTEDCROOK Stealer Attacking Government Orgs To Steal Sensitive Data appeared first on Cyber Security News.
.webp?#)
