The actor with the danger behind giftedcrock malware has made significant updates to turn on the malicious program for a powerful intelligence-acted device from a basic browser data steeler.
Arctic Wolf Labs said in a report published this week, “In June 2025, the recent campaign shows the increased potential of the giftedcrook, which to increase a wide range of sensitive documents from the devices of target individuals, including potentially ownership files and browser secrets,” Arctic Wolf Labs said in a report.
“This change in functionality, combined with the content of its fishing lures, […] Ukrainian focuses a strategic focus on intelligence from government and military institutions. ,
The Giftedcrock was first documented by Ukraine’s Computer Emergency Response Team (Certificate-UA) in early April 2025 regarding the operations to target military institutions, law enforcement agencies and local self-government bodies.
The activity responsible for a hacking group, it tracks as a UAC-0226, involving the use of a fishing email that contains macro-lesed microsoft excel documents that serve as a groove to deploy the giftedcrook.
At its core, a information stealing, malware is designed to steal authentication data from cookies, browsing history and popular web browsers such as Google Chrome, Microsoft Edge and Mozilla Firefox.
The analysis of the artifacts of the Arctic Wolf showed that Steler began as a demo in February 2025, which was before getting new features with versions 1.2 and 1.3.
These new repetitions include the ability to harvest documents and files below 7 MB, especially within the last 45 days in search of or modified files. Malware seeks especially for the following extensions: .doc, .docx, .RTF, .pptx, .ppt, .csv, .csv, .XLS, .XLSX, .JPEG, .jpg, .JPNG, .PDF, .ODT, .ODS, .ORRAR, .RRAR, .zp, .zp, .TX, .TX, .TX, .TX, .TX, .TXTX, .TXTX, .TXTX.
Email expeditions take advantage of military-themed PDF to woo users to click on a mega cloud storage link, hosting a macro-competent Excel workbook (“” “список опоповововововововововововововововововововововововововобобо be just VelsззаfrхformцаfrхformцFormцformцformцfforforforforforfforfforfforfforfforfforfforfforfforfforfforfforfforforfforMцfformцffor velsзforforformцfforforformцffor It is downloaded. Many users do not realize how much the normal macro-excel files are in the fishing attacks.
Captured information is bundled in a zip collection and exfiltred for an attacker-controlled telegram channel. If the total collection size is more than 20 MB, it is broken into several parts. By sending stolen zip archives in Chhoti Vandal, the giftcrakruk avoids detection and skip around the traditional network filter. In the final stage, a batch script is executed to erase the stolen marks from the compromised hosts.
This is not just about stealing passwords or tracking online behavior – this is a targeted cyber espionage. The new capacity of malware points to a large goal to squeeze through recent files and grab documents such as PDF, spreadsheet and even VPN: collecting intelligence information. To handle any person working in public sector roles or to handle sensitive internal reports, such documents create a real risk – not only for the individual, but from the entire network.
Arctic Wolf said, “The time of the campaigns discussed in this report shows a clear alignment with geopolitical events, especially the recent interaction between Ukraine and Russia in Istanbul,” said the Arctic Wolf.
“Giftedcroke version 1 reflects coordinated growth efforts for progress from simple credential theft in version 1, comprehensive documents in version 1.2 and 1.3, where malware capabilities have followed geopolitical objectives to increase data collection from the system compromised in Ukraine.”
