New GIFTEDCROOK Malware Targets Ukrainian Government to Steal Sensitive Browser Data
A dangerous new malware named GIFTEDCROOK is targeting Ukrainian government systems. Disguised in phishing emails, this malware is designed to steal sensitive browser data and exfiltrate it through Telegram, making it hard to detect. Cybersecurity experts are warning that this attack is part of a growing trend in cyber-espionage by threat actors.
What is GIFTEDCROOK?
- A newly discovered information-stealing malware focused on browser data—passwords, cookies, and browsing history—mainly from Chrome, Edge, and Firefox.
Who is being targeted?
- Government organizations
- Military innovation centers
- Law enforcement units
- Local agencies near the eastern border
How does the attack begin?
- The malware spreads through phishing emails that contain macro-enabled Excel (.xlsm) files pretending to offer information about landmines, drone production, or property compensation.
Technical Infection Process
- Malicious macros decode and drop payloads
- Payloads include a .NET tool and the GIFTEDCROOK stealer written in C/C++
- Data is compressed using PowerShell
- Data is exfiltrated via Telegram, masking it among regular traffic
Advanced Techniques Used
- Encoded payloads in Excel cells to bypass antivirus
- Use of legitimate GitHub-hosted scripts
- Phishing from compromised accounts to avoid suspicion
- Hidden file extensions and stealthy execution
Larger Pattern of Attacks
- CERT-UA and researchers say this campaign fits into a broader trend, with 44% of 2024 cyber incidents in Ukraine tied to state-sponsored espionage.
The rise of GIFTEDCROOK highlights the growing risk of cyber-espionage targeting critical infrastructure. Organizations, especially government and defense bodies, must train staff to spot phishing, disable macros by default, and monitor PowerShell activity and network traffic for anomalies.
Staying updated and proactive is key in defending against sophisticated threats like GIFTEDCROOK.
Comment(s)
Recent Posts
