Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations
June 27, 2025, 4:38 p.m.
Description
The cyber-espionage group UAC-0226 has significantly evolved its GIFTEDCROOK malware from a basic browser data stealer to a robust intelligence-gathering tool. Three versions were identified between April-June 2025, with the latest iterations capable of exfiltrating a wide range of sensitive documents. The malware's deployment coincided with critical geopolitical events, particularly Ukraine peace negotiations in Istanbul. GIFTEDCROOK is delivered through spear-phishing emails with military-themed PDF lures, targeting Ukrainian governmental and military institutions. Data exfiltration occurs via Telegram bot channels. The threat actor's sophisticated approach, including crafting context-specific lures and timing attacks with political events, suggests a focus on covert intelligence collection to support diplomatic and military decision-making.
Tags
Date
- Created: June 27, 2025, 1:28 a.m.
- Published: June 27, 2025, 1:28 a.m.
- Modified: June 27, 2025, 4:38 p.m.
Indicators
- ff1be55fb5bb3b37d2e54adfbe7f4fbba4caa049fad665c8619cf0666090748a
- f6b03fa3ea7fd2c4490af19b3331f7ad384640083757a3cede320ca54c7b0999
- d7a66fd37e282d4722d53d31f7ba8ecdabc2e5f6910ba15290393d9a2f371997
- c2e920944d994ba28bc9e159491a89d83e305e63fafc4a4e25433db63800d5fa
- ca2585acb9e37f5f46705f8f00d69453bfce7dc9327af0325a7ad8a88bf549a7
- b9d508d12d2b758091fb596fa8b8b4a1c638b7b8c11e08a1058d49673f93147d
- a6dd44c4b7a9785525e7f487c064995dc5f33522dad8252d8637f6a6deef3013
- a7a2895e4c10866967eff3ec719a2f697c859888af6482f6697e90042cb5d5b2
- 891e4c3092435f7922fd342a991d681c545aa6cf94941fbcdde74a1ac580c35b
- 2930ad9be3fec3ede8f49cecd33505132200d9c0ce67221d0b786739f42db18a
- 1974709f9af31380f055f86040ef90c71c68ceb2e14825509babf902b50a1a4b
Additional Informations
- Defense
- Government
- Ukraine