Full Report
The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool. "Recent campaigns in June 2025 demonstrate GIFTEDCROOK's enhanced ability to exfiltrate a broad range of sensitive documents from the devices of targeted individuals, including potentially proprietary files and
Analysis Summary
# Tool/Technique: GIFTEDCROOK Malware
## Overview
GIFTEDCROOK is an evolving malware, initially documented as a basic browser data stealer, which has significantly upgraded its capabilities to become a potent intelligence-gathering tool. It is primarily used in targeted cyber espionage campaigns against Ukrainian governmental and military entities.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Inferred from document and browser targets)
- Capabilities: Steals browser credentials (cookies, history, auth data), harvests specific document types, exfiltrates data via Telegram.
- First Seen: Early April 2025 (documented by CERT-UA); demo version seen in February 2025.
## MITRE ATT&CK Mapping
Since the article describes high-level capabilities rather than specific command executions, the mapping focuses on the primary observed behaviors:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Macro-laced Excel documents)
- **TA0009 - Collection**
- T1119 - Data from Local System
- T1119.002 - File Collection (Searching for and exfiltrating specific documents)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Leveraging Telegram)
## Functionality
### Core Capabilities
- **Browser Stealing:** Steals cookies, browsing history, and authentication data from Google Chrome, Microsoft Edge, and Mozilla Firefox.
- **Document Harvesting (V1.2/V1.3):** Scans for and harvests files less than 7 MB in size that were created or modified within the last 45 days.
- **Targeted File Types:** Specifically searches for extensions including: .doc, .docx, .rtf, .pptx, .ppt, .csv, .xls, .xlsx, .jpeg, .jpg, .png, .pdf, .odt, .ods, .rar, .zip, .eml, .txt, .sqlite, and .ovpn (VPN configurations).
### Advanced Features
- **Evasion during Exfiltration:** Bundles stolen data into a ZIP archive. If the archive exceeds 20 MB, it segments the ZIP file into smaller parts before sending, intended to evade network detection and filters.
- **C2 Mechanism:** Exfiltrates stolen data specifically through an attacker-controlled Telegram channel.
- **Anti-Forensics:** Executes a batch script in the final stage to erase traces of the malware from the compromised host.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: `Список оповіщених військовозобов'язаних організації 609528.xlsm` (Example macro-enabled Excel workbook lure name)
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: Telegram channel (used for C2/Exfiltration - Specific channel handle or ID not provided)
- Behavioral Indicators: Execution of a batch script for self-deletion; network communication to Telegram; searching for files modified in the last 45 days.
## Associated Threat Actors
- UAC-0226 (Attribution made by CERT-UA)
## Detection Methods
- Signature-based detection: Unknown, but signatures could target known file hashes or strings within the executable.
- Behavioral detection: Monitoring for processes executing scripts to delete their own files; monitoring egress traffic associated with file uploads to the Telegram platform; detection of macro execution in Office documents when combined with file enumeration behavior.
- YARA rules: [Not explicitly provided in the text]
## Mitigation Strategies
- **Macro Security:** Disable macros by default in Microsoft Office, or restrict macro execution to digitally signed sources.
- **Email Filtering:** Enhance filters to block or quarantine emails utilizing cloud storage links (like Mega) that contain suspicious attachments.
- **Network Monitoring:** Monitor and restrict outbound traffic to unapproved external services, specifically observing anomalous activity targeting the Telegram platform for large data uploads.
- **Endpoint Hardening:** Implement policies that prevent the execution of batch scripts post-incident, or monitor for scripts that attempt to erase system artifacts.
## Related Tools/Techniques
- Related reconnaissance/information stealing malware families focused on browser data.
- Use of cloud storage links (Mega) as a delivery mechanism.
- Use of legitimate messaging platforms (Telegram) for covert command and control/exfiltration.