The GIFTEDCROOK malware has evolved from a simple browser credential stealer into a powerful tool aimed at intelligence collection, especially targeting Ukrainian military and government entities.
According to Arctic Wolf Labs, recent June 2025 campaigns show that the malware now exfiltrates a variety of sensitive documents, including those recently created or modified, with file types like PDFs, spreadsheets, and VPN configs.
Originally reported by CERT-UA in April, the malware spreads through phishing emails using military-themed lures that deliver macro-enabled Excel files hosting the stealer. Updates in versions 1.2 and 1.3 introduced document harvesting features, limiting file size to under 7 MB and focusing on files modified in the past 45 days. Stolen data is compressed into ZIP files and sent to a Telegram channel, split into parts if the size exceeds 20 MB to bypass detection.
A final batch script then deletes the malware to erase traces. These developments show GIFTEDCROOK’s transformation into a focused cyber espionage tool, closely aligned with geopolitical tensions and targeting high-value information.
Read more...