GiftedCrook Stealer Transforms Into Sophisticated Intelligence-Gathering Weapon – The Actors Behind the Shift

The Arctic Wolf Labs team has uncovered a dramatic escalation in cyber-espionage operations, revealing that the infostealer known as GiftedCrook, previously a relatively simple browser data thief, has evolved into a formidable intelligence-gathering tool.

This transformation, orchestrated by the threat group UAC-0226, underscores the growing sophistication and adaptability of cybercriminal operations targeting critical geopolitical interests.

GiftedCrook’s development timeline is impressive. In February 2025, the malware began as a demo project, but by March, it had matured into a production-ready tool.

Between April and June 2025, three major versions emerged: v1, v1.2, and v1.3. Each iteration introduced new capabilities, shifting GiftedCrook from a basic infostealer to a comprehensive data exfiltration platform.

The malware’s primary delivery mechanism remains spear-phishing emails, often featuring military-themed PDF lures tailored to Ukrainian governmental and military personnel.

These emails are crafted with precision, spoofing legitimate Ukrainian cities such as Uzhhorod, and are often addressed to “undisclosed-recipients” or decoy recipients in Bakhmut to mask the true targets.

The emails’ structure and timing are meticulously aligned with critical geopolitical events, such as the June 2025 Ukraine peace negotiations in Istanbul, reinforcing the actors’ strategic focus on intelligence gathering from high-value Ukrainian entities.

Technical Innovations and Operational Tactics

GiftedCrook’s technical evolution is noteworthy. The original version (v1) focused solely on stealing browser data, but subsequent versions expanded its reach.

Version 1.2 introduced the ability to steal documents and files based on their extensions, employing a custom XOR encryption algorithm to protect stolen data before exfiltration.

Files were collected from the victim’s system, compressed into encrypted archives, and exfiltrated via dedicated Telegram bot channels. The malware also incorporated an auto-eraser script to delete traces of its presence, further complicating forensic investigations.

Version 1.3, discovered in mid-June, represents the pinnacle of GiftedCrook’s evolution.

It combines the capabilities of its predecessors, targeting both browser data (including cookies, login information, and local state from Chrome, Edge, and Firefox) and a wide array of file types (.doc, .docx, .xls, .xlsx, .pdf, .ovpn, and more).

Files are collected if they were modified within the last 45 days and are under 7 MB in size. The malware employs sleep evasion techniques to avoid sandbox detection and splits extensive archives into multiple parts for efficient exfiltration via Telegram.

The actors behind GiftedCrook have demonstrated a deep understanding of their targets’ infrastructure, as evidenced by their focus on specific file types and their use of legitimate cloud services, such as Mega.nz, for initial payload delivery.

The malware’s infrastructure overlaps with other campaigns targeting Ukraine, suggesting a coordinated, multi-pronged approach by several threat groups.

Strategic Implications and Countermeasures

The transformation of GiftedCrook from a simple stealer to a sophisticated intelligence tool highlights the increasing convergence of cybercrime and state-sponsored espionage.

The timing of campaigns, the use of highly credible lures, and the focus on Ukrainian military and government institutions point to a strategic objective: supporting diplomatic and military decision-making through covert data collection.

Organizations can defend against such threats by implementing secure email gateways, deploying endpoint detection and response (EDR) solutions, and fostering a culture of security awareness.

Regular phishing simulations, employee training, and the use of phishing report buttons are critical components of a robust defense strategy.

As GiftedCrook continues to evolve, the cybersecurity community must remain vigilant, adapting detection and response strategies to counter this and similar advanced threats.

The actors behind GiftedCrook have demonstrated their ability to innovate rapidly, organizations must be prepared to respond in kind.