Full Report
Throughout March 2025, defenders observed increasing cyber-espionage activity by the UAC-0219 hacking group targeting Ukrainian critical sectors WRECKSTEEL malware. In April, CERT-UA issued a novel alert notifying the global cyber defender community of a new surge of espionage operations orchestrated by another hacking collective tracked as UAC-0226. Since February 2025, researchers have been closely monitoring […] The post UAC-0226 Attack Detection: New Cyber-Espionage Campaign Targeting Ukrainian Innovation Hubs and Government Entities with GIFTEDCROOK Stealer appeared first on SOC Prime.
Analysis Summary
# Threat Actor: UAC-0226
## Attribution & Identity
The threat actor is identified as **UAC-0226**. The article references activity covered in a **CERT-UA#14303 Alert**. No specific attribution (e.g., nation-state affiliation) is provided beyond the designation UAC-0226.
## Activity Summary
UAC-0226 is conducting ongoing cyber-espionage campaigns. These operations specifically target **Ukrainian innovation hubs and government entities**. The campaign utilizes the **GIFTEDCROOK stealer** malware.
## Tactics, Techniques & Procedures
Based on the observed activity aligned with the CERT-UA alert and MITRE ATT&CK coverage:
- **Initial Access (TA0001):**
- Spearphishing Attachment (T1566.001): Achieved via Windows Mail Client creating files with executable extensions.
- Visual Basic Library Loading in Office Process (via image\_load).
- **Execution (TA0002):**
- Command and Scripting Interpreter: PowerShell (T1059.001): Executed by calling suspicious .NET methods from PowerShell.
- Command and Scripting Interpreter: Visual Basic (T1059.005): Observed via Visual Basic library loading in Office processes.
- **Collection (TA0009):**
- Archive Collected Data (T1560): Detected via PowerShell compressing files into an archive in a suspicious directory.
- **Exfiltration (TA0010):**
- Exfiltration Over Web Services (T1567): Indicated by suspicious process DNS querying known abuse web services.
- Possible Telegram abuse as a Command and Control Channel (via dns\_query).
## Targeting
- Sectors: Innovation Hubs, Government Entities
- Geography: Ukraine
- Victims: Specific organizations are not explicitly named in the summary, but targets include Ukrainian governmental bodies.
## Tools & Infrastructure
- Malware families used: **GIFTEDCROOK stealer**
- Infrastructure (C2, domains, IPs - defang URLs):
- The actor appears to use **Telegram** as a potential Command and Control channel.
- Exfiltration utilizes **known abuse web services**.
## Implications
UAC-0226 poses a direct threat to sensitive Ukrainian governmental and innovation infrastructure, engaging in cyber-espionage designed to steal information. The use of common initial access vectors (spearphishing) combined with advanced execution methods (PowerShell/.NET calls) indicates a sophisticated adversary. The reliance on public web services and potentially Telegram for C2 highlights an effort to blend in with normal web traffic for exfiltration.
## Mitigations
Defense recommendations should focus on detection capabilities across the observed TTPs:
- Enhance monitoring of **Windows Mail Client** for the creation of executable files.
- Implement strict logging and alerting for **PowerShell executing suspicious .NET methods**.
- Monitor for **Visual Basic library loading** within Office processes (`image_load`).
- Deploy high-fidelity alerts for **PowerShell compressing files** (`cmdline`) in non-standard locations.
- Monitor **DNS queries** for connections to known abused web services to detect C2/Exfiltration attempts.