{
	"id": "c5a87ab9-7264-4a48-8ead-e29de45d924a",
	"created_at": "2026-04-06T00:14:25.626467Z",
	"updated_at": "2026-04-10T03:33:36.98666Z",
	"deleted_at": null,
	"sha1_hash": "3a73fb9128babfc8a0ff93985a252276b3b1190e",
	"title": "UAC-0226 Attack Detection: New Cyber-Espionage Campaign Targeting Ukrainian Innovation Hubs and Government Entities with GIFTEDCROOK Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46158,
	"plain_text": "UAC-0226 Attack Detection: New Cyber-Espionage Campaign\r\nTargeting Ukrainian Innovation Hubs and Government Entities\r\nwith GIFTEDCROOK Stealer\r\nBy Veronika Zahorulko\r\nPublished: 2025-04-07 · Archived: 2026-04-05 14:24:36 UTC\r\nThroughout March 2025, defenders observed increasing cyber-espionage activity by the UAC-0219 hacking group\r\ntargeting Ukrainian critical sectors WRECKSTEEL malware. In April, CERT-UA issued a novel alert notifying the\r\nglobal cyber defender community of a new surge of espionage operations orchestrated by another hacking\r\ncollective tracked as UAC-0226. Since February 2025, researchers have been closely monitoring the group’s\r\ntargeted intelligence-gathering activities against Ukraine using another stealer known as GIFTEDCROOK, with a\r\nprimary focus on military innovation hubs, the armed forces, law enforcement entities, and regional government\r\ninstitutions.\r\nDetect UAC-0226 Attacks Covered in the CERT-UA#14303 Alert\r\nAccording to CERT-EU’s annual Threat Landscape Report, in 2024, a significant 44% of reported incidents were\r\nlinked to cyber espionage or prepositioning tactics usually attributed to state-sponsored actors with a primary\r\nfocus on data exfiltration and establishing persistent, stealthy access. In the spring of 2025, CERT-UA already\r\nobserved an increase in cyber-espionage activity against Ukraine attributed to UAC-0200, UAC-0219, and UAC-0226. The latest CERT-UA#14303 alert highlights the ongoing cyber-espionage campaign by UAC-0226\r\nleveraging the GIFTEDCROOK stealer. \r\nSOC Prime Platform for collective cyber defense curates a dedicated collection of detection algorithms to help\r\nUkrainian and allied organizations proactively thwart cyber-espionage attacks by UAC-0226 covered in the\r\ncorresponding CERT-UA heads-up. Click Explore Detections to access relevant Sigma rules enriched with\r\nactionable intelligence, aligned with MITRE ATT\u0026CK®, and compatible with multiple SIEM, EDR, and Data\r\nLake solutions.  \r\nExplore Detections\r\nSecurity teams can also search SOC Prime’s Detection-as-Code library for relevant content by using the\r\ncorresponding tags “CERT-UA#14303” and “UAC-0226” to timely spot adversary activity. \r\nIn addition, security engineers can rely on Uncoder AI, a private non-agentic AI for threat-informed detection\r\nengineering, to automatically convert IOCs from the CERT-UA research into actionable hunting queries and\r\nseamlessly search for UAC-0226 attacks in the SIEM or EDR instance in use. \r\nUse Uncoder AI to convert IOCs from the CERT-UA#14303 alert into custom queries ready to hunt in your\r\nSIEM or EDR.\r\nhttps://socprime.com/blog/detect-uac-0226-attacks-against-ukraine/\r\nPage 1 of 2\n\nUAC-0226 Attack Analysis\r\nOn April 6, 2025, CERT-UA released a new security heads-up, CERT-UA#14303, focused on cyber-espionage\r\noperations against Ukraine leveraging the C/C++-based stealer GIFTEDCROOK. Researchers have been\r\nobserving the ongoing cyber-espionage campaign linked to the UAC-0226 group since February 2025, with\r\nmilitary innovation hubs, armed forces units, law enforcement agencies, and local state bodies, particularly those\r\nlocated near the country’s eastern border, being its primary targets. \r\nThe infection flaw starts via the phishing attack vector containing macro-enabled Excel files (.xlsm), commonly\r\nusing lure topics like landmine clearance, administrative fines, drone production, or compensation for damaged\r\nproperty. These documents hide base64-encoded payloads within Excel cells. The embedded macros decode the\r\ncontent into executable files, save them without file extensions, and execute them on the victim’s machine.\r\nAs of April 2025, two malware variants tied to this activity have been identified. The first is a .NET-based tool\r\nembedding a PowerShell reverse shell script sourced from the public GitHub repository PSSW100AVB. The\r\nsecond, dubbed GIFTEDCROOK, is a C/C++ stealer designed to extract Chrome, Edge, and Firefox browser data\r\n(cookies, history, saved credentials), archive it using PowerShell’s Compress-Archive cmdlet, and exfiltrate it via\r\nTelegram. Since phishing emails are being sent from compromised accounts, including via webmail, defenders\r\nrecommend system administrators review the completeness and depth of email and web server logs.\r\nMITRE ATT\u0026CK Context\r\nLeveraging MITRE ATT\u0026CK provides in-depth visibility into the context of the latest UAC-0226 cyber-espionage operation targeting Ukrainian innovation hubs and government entities with GIFTEDCROOK stealer.\r\nExplore the table below to see the full list of dedicated Sigma rules addressing the corresponding ATT\u0026CK\r\ntactics, techniques, and sub-techniques. \r\nSource: https://socprime.com/blog/detect-uac-0226-attacks-against-ukraine/\r\nhttps://socprime.com/blog/detect-uac-0226-attacks-against-ukraine/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/detect-uac-0226-attacks-against-ukraine/"
	],
	"report_names": [
		"detect-uac-0226-attacks-against-ukraine"
	],
	"threat_actors": [
		{
			"id": "4ca9564c-9ccf-4d82-8721-5d57f6801d0d",
			"created_at": "2025-05-29T02:00:03.20861Z",
			"updated_at": "2026-04-10T02:00:03.863186Z",
			"deleted_at": null,
			"main_name": "UAC-0226",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0226",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1207a5fc-7a08-4804-97d5-848f2c170a4e",
			"created_at": "2025-05-29T02:00:03.199991Z",
			"updated_at": "2026-04-10T02:00:03.856819Z",
			"deleted_at": null,
			"main_name": "UAC-0219",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0219",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434465,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a73fb9128babfc8a0ff93985a252276b3b1190e.pdf",
		"text": "https://archive.orkl.eu/3a73fb9128babfc8a0ff93985a252276b3b1190e.txt",
		"img": "https://archive.orkl.eu/3a73fb9128babfc8a0ff93985a252276b3b1190e.jpg"
	}
}