{
	"id": "d5c152b3-93d5-4539-89c4-02e96d78e17e",
	"created_at": "2026-04-06T00:22:38.077251Z",
	"updated_at": "2026-04-10T03:23:51.19397Z",
	"deleted_at": null,
	"sha1_hash": "7500a287a4e7a91cd568c27c1b209f0f26c0bb10",
	"title": "GIFTEDCROOK’s Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1237972,
	"plain_text": "GIFTEDCROOK’s Strategic Pivot: From Browser Stealer to Data\r\nExfiltration Platform During Critical Ukraine Negotiations\r\nBy Arctic Wolf Labs\r\nPublished: 2025-06-26 · Archived: 2026-04-05 22:04:26 UTC\r\nExecutive Summary\r\nThe Arctic Wolf® Labs team has discovered that the cyber-espionage group UAC-0226, known for utilizing the infostealer\r\nGIFTEDCROOK, has significantly evolved its capabilities. It has transitioned the malware from a basic browser data stealer\r\n(which we’re referring to as v1), through two new upgrades (v1.2 and v1.3) into a robust intelligence-gathering tool.\r\nAnalysis of early files from February 2025 suggests that the GIFTEDCROOK project began as a demo during that period. It\r\nsubsequently matured and was put into production in March 2025, with new capabilities continuously being developed and\r\nadded since then.\r\nRecent campaigns in June 2025 demonstrate GIFTEDCROOK’s enhanced ability to exfiltrate a broad range of sensitive\r\ndocuments from the devices of targeted individuals, including potentially proprietary files and browser secrets. This shift in\r\nfunctionality, combined with the content of its phishing lures, coupled with observed attack timings coinciding with critical\r\ngeopolitical events such as June’s Ukraine peace negotiations hosted in Istanbul, suggests a strategic focus on intelligence\r\ngathering from Ukrainian governmental and military entities.\r\nOf additional interest is the fact we’ve observed a shared email infrastructure with other malware campaigns, indicating a\r\nmulti-pronged approach by different threat groups targeting Ukraine.\r\nKey Findings:\r\nVersions: We found three evolutionary versions of GIFTEDCROOK between April-June 2025\r\nPrimary delivery mechanism: Spear-phishing emails with military-themed PDF lures\r\nTargets: Ukrainian governmental and military institutions\r\nData exfiltration: Telegram bot channels\r\nInfrastructure: Email delivery infrastructure overlaps with other groups’ operations\r\nAttack Timeframe: Geopolitical Context\r\nOn April 4, 2025, the Computer Emergency Response Team of Ukraine (CERT-UA) reported that it had observed the\r\nGIFTEDCROOK infostealer targeting Ukraine. We will refer to the original version of this malware as v1. It was built to\r\naccess and steal data from internet-connected browsers leading to cloud-based and other network resources.\r\nOn May 16, 2025, negotiations between Ukraine and Russia commenced in Turkey. The primary goals of these talks were to\r\nnegotiate the exchange of prisoners of war and fallen soldiers, to prepare ceasefire proposals, and an agreement to resume\r\ndiscussions in future.\r\nThe deployment of GIFTEDCROOK v1.2 took place during the lead-up to the June 2, 2025, Ukraine peace negotiations in\r\nIstanbul, officially known as the “Istanbul Agreement on Prisoner and Body Exchange.” This operation most likely focused\r\non intelligence gathering through data exfiltration from compromised devices.\r\nEmail Infection Vector Analysis\r\nGIFTEDCROOK’s initial infection vector is via email, through spear phishing campaigns. Our analysis revealed the threat\r\nactor’s preference for spoofing locations within the city of Uzhhorod, located in Western Ukraine, and other Ukrainian-controlled cities. Our in-depth review of the headers of these phishing emails exposed several other noteworthy fields.\r\nPhishing Email Header Analysis\r\nMessages are initially received from a hosting provider, while the Sender Policy Framework (SPF) is set to ?all. This is a\r\nneutral policy and does not explicitly authorize or deny senders. This weakens the target’s protection against email spoofing.\r\nThe most commonly observed technique used during this campaign is the sending of this email to authorities in Bakhmut, a\r\ncity in the Donetsk region of Eastern Ukraine, along with  To: undisclosed-recipients  in the recipient field. The Bakhmut\r\nrecipients serve as a decoy, concealing the true targets, which remain undisclosed. Nevertheless, analysis by CERT-UA,\r\ncombined with recurring themes related to military registration and conscription in the attached files, strongly suggest that\r\nUkrainian governmental and military institutions are most likely the real targets.\r\nPivoting on the header analysis data, the Arctic Wolf Labs team found an IP address associated with the same hosting\r\nprovider, which directly led us to another campaign targeting Ukrainian victims. In this second campaign, the malicious\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 1 of 13\n\nscheme is slightly different. A phishing email is sent with a PDF attachment which links to a cloud service, and ultimately,\r\nthe victim is led to a JavaScript (JS) file that drops NetSupport RAT instances.\r\nNetSupport RAT is a remote access tool that is particularly adept at avoiding antivirus (AV) detection and circumventing\r\nanalysis tools, whilst maintaining persistence, escalating privileges, and conducting data exfiltration. This makes it the tool\r\nof choice for actors who wish to remain hidden for as long as possible while stealing data for their own goals and purposes.\r\nThis overlap in email infrastructure suggests at least several different groups are operating against an assortment of strategic\r\nvictims in Ukraine, deploying commercial Remote Access Trojans (RATs) with the common goal of system persistence and\r\ndata collection.\r\nStrategic Deception\r\nThe campaign Arctic Wolf Labs observed uses highly credible email phishing lures (specifically, on the theme of\r\nadministrative fines and military mobilization) that would be expected during Ukraine’s intense mobilization period in the\r\nfirst half of this year. The April 2025 timing of this campaign coincides perfectly with Ukraine’s extended martial law,\r\nSupreme Court mobilization rulings, and intensified recruitment efforts sparked by Ukraine’s broader struggle to address\r\npersonnel shortages on the front lines of combat.\r\nOverview of GIFTEDCROOK Versions\r\nVersion 1: The original version of GIFTEDCROOK focuses solely on stealing browser data. The bot’s address is\r\nopenly visible in the code. Targeted files are compressed into a zip archive before exfiltration.\r\nVersion 1.2: This updated version expands the malware’s capabilities to include the ability to steal documents and\r\nfiles, located by their file extension type. This version introduces string encryption, using a custom simple XOR\r\nalgorithm. It also encrypts the archive that contains all the collected files before exfiltration.\r\nVersion 1.3: This latest version steals both browser data and files, incorporating the same string encryption functions\r\nas v1.2. This version looks for files created or modified within the last 45 days – more than double the period of 15\r\ndays used in v1.2.\r\nGIFTEDCROOK v1.2: File Collection and Exfiltration\r\nIn early June, we discovered a new sample: a PDF attachment sent to victims via email utilizing social engineering tactics.\r\nThe malicious PDF lure shown in Figure 1 below announces the implementation of new procedures for military registration\r\nand conscription of military personnel and reservists, which according to the document, were “developed according to\r\nGeneral Staff directives and Ukrainian legislation.”\r\nMost notably, the document contains a weaponized link to a Mega[.]nz-hosted file. Mega is a legitimate file-hosting service\r\noffered through web-based apps, where users can store files via the company’s encrypted cloud storage. The lure document\r\ndirects the reader to click this link in order to obtain access to the promised information.\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 2 of 13\n\nFigure 1: Malicious PDF attachment, a fake document purporting to be about new procedures for military registration and\r\nconscription. A full translation is provided in the Appendix at the end of this report.\r\nSHA-256 1974709f9af31380f055f86040ef90c71c68ceb2e14825509babf902b50a1a4b\r\nFile Size 31,526 bytes\r\nFile\r\nStamp\r\n\u003c\u003c/Creator\u003cFEFF005700720069007400650072\u003e (Writer)\r\n/Producer\u003cFEFF004C0069006200720065004F0066006600690063006500200036002E0034\u003e\r\n(LibreOffice 6.4)\r\n/CreationDate(D:20250601201715+03’00’)\u003e\u003e (June 1, 2025, at 8:17:15 PM UTC+3)\r\nTable 1: File information for the malicious PDF attachment.\r\nThe document shown above is carefully crafted to instill a sense of urgency in the target, who the threat actor hopes will\r\nquickly click through to the malicious hosted file, perhaps believing they are being conscripted.\r\nIf the victim clicks the weaponized Mega[.]nz link, they will be directed to a malicious OLE document. OLE (Object\r\nLinking and Embedding) is a proprietary technology developed by Microsoft that allows embedding and linking between\r\ndocuments and other objects. While this is a useful feature that (for example) lets readers click an icon in a document to\r\nconnect to a legitimate external application, it’s also a well-known attack vector for cybercriminals. Once clicked, malicious\r\nembedded objects can inject malware into the user’s device, connect to the attacker’s server, and download a disguised\r\nmalware payload.\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 3 of 13\n\nNow, let’s examine what happens next. The reader is directed to a download form on the Mega file-hosting service’s website\r\nand presented with a “download” button. The file name of the downloadable document roughly translates to “List of\r\nmilitary-liable personnel of organization 609528.”\r\nFigure 2: File name: Список оповіщених військовозобов’язаних організації 609528.xlsm\r\n(Translated to English: List of notified military-liable personnel of organization 609528.xlsm)\r\nSHA-256 f6b03fa3ea7fd2c4490af19b3331f7ad384640083757a3cede320ca54c7b0999\r\nFile Size 626,987 bytes\r\nTable 2: File information for the malicious .xlsm document.\r\nFigure 3: Downloaded OLE lure (fake) document, titled: “LIST of notified military-liable personnel by notification districts\r\nand assembly points of territorial communities as of May 30, 2025.”\r\nFigure 3b: Close-up of deliberately corrupted font shows unreadable list of “names.”\r\nTranslated to English, the text of the OLE lure document reads:\r\nLIST of notified military conscripts by notification districts and assembly points of territorial communities for May 30, 2025.\r\nIN CASE OF INCORRECT INFORMATION DISPLAY, IT IS NECESSARY TO ENABLE MACROS, WHICH WILL\r\nCONVERT THE DATA TO THE REQUIRED VERSION\r\n# | FULL NAME* | Address | Date of Birth | Date of Summons Delivery | Territorial Community\r\nThe table in the lure document displays unrecognizable names in a deliberately corrupted font, stating that the reader should\r\nmanually enable macros if the information displays incorrectly. This classic social engineering ploy directs the reader to take\r\nan action that will ultimately harm them, as the threat actor needs macros enabled to continue their attack chain.\r\nAnalysis of the core .XML file indicates it was generated by openpyxl, a Python library designed for reading and writing\r\nExcel files.\r\nCreation Date April 7, 2025 at 16:22:15 UTC (4:22 PM)\r\nLast Modified By user\r\nLast Modified May 20, 2025 at 14:27:25 UTC (2:27 PM)\r\n(43 day gap between creation and modification)\r\nLanguage ru-RU (Russian – Russia)\r\nFile Format Excel with macros (.xlsm)\r\nTable 3: File information from the core .XML file.\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 4 of 13\n\nIf the user goes ahead and manually enables macros, an executable PE file is extracted from the document using\r\nsharedStrings.xml as a base64 source, and executed from %ProgramData%\\Infomaster\\Infomaster. \r\nFigure 4: Portable executable (PE) extraction from OLE file.\r\nFigure 5: VBA project to extract and run PE file.\r\nSHA-256 a6dd44c4b7a9785525e7f487c064995dc5f33522dad8252d8637f6a6deef3013\r\nFile Size 806,912 bytes (788.0 KB)\r\nCompilation Date 2025-05-20 14:18:25 UTC\r\nCompiler Microsoft Visual C/C++\r\nFile type PE x64\r\nTable 4: Dropped PE implant’s properties.\r\nVersion 1.2 of GIFTEDCROOK is an executable designed to run invisibly on a victim’s system. It targets specific file types\r\nfor collection and exfiltration, identified by hardcoded extensions, and also filters files based on their creation date and size.\r\nThe executable specifically seeks files up to 5 MB that were modified within the last 15 days.\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 5 of 13\n\nFigure 6: A list of file extensions GIFTEDCROOK searches for to exfiltrate.\r\nThe presence of various file types, including document and OpenVPN configuration files, alongside unfamiliar extensions\r\nlike .bwet****** (extension redacted), suggests that the threat actor possesses an intimate knowledge of the victim’s\r\ninfrastructure. This familiarity likely extends to the internal file storage systems, even encompassing files with proprietary or\r\nundisclosed extensions.\r\nThe GIFTEDCROOK implant creates a dedicated directory for any files it finds that match its search parameters. It then\r\ncopies these files into this new directory, organizing them into subdirectories that mirror their original system locations:\r\nС:\\Users\\%Username%\\AppData\\Local\\Temp\\a-zA-Z0-9(13)\\a-zA-Z0-9(13)\r\nAll files are then consolidated into a single zip archive. This archive is then encrypted using a standard XOR algorithm, with\r\nthe encryption key being derived during the program’s execution.\r\nIn the sample shown, the zip archive containing the exfiltrated data is encrypted with the following key:\r\nBPURYGBLPEWJIJJ\r\nNext, the zipped archive file is dispatched to a dedicated Telegram channel. Each GIFTEDCROOK implant is assigned a\r\nunique bot identifier. The sample analyzed in this report utilizes a Telegram channel whose address is decrypted during the\r\nimplant’s operation:\r\nhxxps://api[.]telegram[.]org/bot7806388607:AAFb6nCE21n6YmK6-bJA6IrcLTLfhlwQ254/sendDocument\r\nThe Infomaster_delete.bat file will create and then execute the batch script shown below:\r\n@echo off\r\n:loop\r\ndel \"%ProgramData%\\Infomaster\\Infomaster\" \u003enul 2\u003e\u00261\r\nif exist \"%ProgramData%\\Infomaster\\Infomaster\" goto loop\r\ndel \"%-r0\"\r\nThis batch script functions as an auto-eraser, effectively deleting the original infostealer and obliterating all traces of its\r\npresence within the system.\r\nGIFTEDCROOK v1.3\r\nOn June 17, 2025, the Arctic Wolf Labs team discovered a third iteration of GIFTEDCROOK, version 1.3, which was also\r\ntargeting Ukraine. This latest version integrates the infostealing capabilities of both v1 and v1.2, targeting browser secrets\r\nand files stored on the target’s device.\r\nInitial OLE\r\nFile Name\r\nАдміністративні штрафи співробiтників організації №20250612-371946.xlsm\r\n(Translated to English:\r\nAdministrative fines of organization employees №20250612-371946)\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 6 of 13\n\nSHA-256 891e4c3092435f7922fd342a991d681c545aa6cf94941fbcdde74a1ac580c35b\r\nFile Size 655014 bytes (639.7 KB)\r\nVBA Project Creation Time 2025-06-16 14:07 UTC\r\nTable 5: OLE file information.\r\nFigure 7: New payload name: PhoneInfo.\r\nShould macros be manually enabled by the user, as was the case with GIFTEDCROOK v1.2, a malicious portable\r\nexecutable file is dropped onto the system.\r\nGIFTEDCROOK v1.3 PE File\r\nSHA-256 b9d508d12d2b758091fb596fa8b8b4a1c638b7b8c11e08a1058d49673f93147d\r\nFile Size 811008 bytes (792.0 KB)\r\nCompilation Time 2025-06-16 13:59:19\r\nTable 6: Properties of GIFTEDCROOK v1.3’s PE file.\r\nEmploying a sleep evasion technique to circumvent basic sandboxing, the implant gathers data from files found on the\r\nvictim’s device with the following extensions: .doc, .docx, .rtf, .pptx, .ppt, .csv, .xls, .xlsx, .jpeg, .jpg, .png, .pdf, .odt, .ods,\r\n.rar, .zip, .eml, .txt, .sqlite, and .ovpn.\r\nAdditionally, it extracts browser secrets, including cookies and login data from multiple browser types, as shown in the code\r\nsnippet below:\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 7 of 13\n\nFigure 8: Code snippet showing browser data search.\r\nData is gathered from the following browsers:\r\nChrome: cookies, login data, local state\r\nEdge: cookies, login data, local state\r\nFirefox: key4.db, logins.json, places.sqlite, cookies.sqlite\r\nThe following code demonstrates how additional browser-related data is organized and prepared for exfiltration:\r\nFigure 9: Browser “secrets” collection by GIFTEDCROOK.\r\nStolen browser data is organized as follows:\r\nGoogle Chrome Cookies B_info/Go-C\r\nGoogle Chrome Logins B_info/Go-L\r\nEdge Cookies B_info/Ed-C\r\nEdge Logins B_info/Ed-L\r\nFirefox Keys B_info/Fi-ke.db\r\nUsername B_info/us.txt\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 8 of 13\n\nTable 7: Stolen browser data information.\r\nFiles are collected and exfiltrated by GIFTEDCROOK v1.3 if the following conditions are satisfied: their target extensions\r\nare matched, individual file sizes are under 7 MB, and modification time-stamps are within 45 days. The files that meet this\r\ncriteria are then compressed and encrypted ready for extraction.\r\nFigure 10: Instructions in v1.3 to locate files modified within the last 45 days.\r\nFinally, Telegram is used to exfiltrate the gathered data, in this case via:\r\nhxxps://api[.]telegram.org/bot7726014631:AAFe9jhCMsSZ2bL7ck35PP30TwN6Gc3nzG8/sendDocument\r\nExfiltration Flow\r\nThe exfiltration process involves several key steps:\r\n1. File Preparation: Discovered target files are encrypted and compressed. If the total archive size exceeds 20 MB, it is\r\nsplit into multiple parts.\r\n2. Upload to Telegram: Each file part is then uploaded to Telegram with sequential naming (e.g., .01, .02).\r\n3. Metadata Preservation: Important file metadata is preserved within the Telegram message itself.\r\n4. Attacker Retrieval: The attacker retrieves the complete set of files from the designated Telegram chat or channel.\r\nGIFTEDCROOK Attack Flow\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 9 of 13\n\nFigure 11: GIFTEDCROOK attack flow.\r\nRemediation\r\nGIFTEDCROOK’s use of social engineering, including the use of lure documents utilizing the themes of military\r\nmobilization and administrative records, point to a threat group tied strongly into the current geopolitical landscape and\r\nfocused on very specific objectives.\r\nTheir targeting of OpenVPN configurations and administrative documents provides the threat actor with network access\r\ncredentials and organizational intelligence that enables future malicious operations. The systematic collection of browser\r\ncredentials creates persistent access opportunities across cloud services and enterprise applications.\r\nDetection opportunities exist through monitoring for the specific file paths mentioned in this report, Telegram API\r\ncommunications, and the distinctive file search patterns employed by the malware.\r\nSince the threat group uses spear-phishing as an initial attack vector, there are many common-sense protections\r\norganizations and individuals can use to protect themselves against this type of attack. Organizations should train employees\r\nto identify and counter phishing attacks, and consider conducting regular internal phishing tests to reinforce security\r\ntraining.\r\nIn addition, organizations can protect themselves by exercising the following measures:\r\nConsider the use of Secure Email Gateway solutions, to help proactively filter out malicious emails.\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 10 of 13\n\nImplement an Endpoint Detection and Response (EDR) solution such as Arctic Wolf® Aurora™ Endpoint Defense.\r\nEnsure all employees throughout the company are aware of good security hygiene practices, including awareness of\r\nsocial engineering.\r\nAdd or enable a phishing report button to your organization’s email solution to empower employees to immediately\r\nreport suspected phishing emails to your security team.\r\nFoster a culture where employees feel safe reporting suspected phishing attempts, even those they may have\r\ninadvertently fallen for.\r\nThe Arctic Wolf Managed Security Awareness® training solution delivers easily digestible security lessons for\r\nemployees, including regular phishing simulations and a “Report Phish” button, along with many other features.\r\nHow Arctic Wolf Protects Its Customers\r\nArctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our\r\ncustomers.\r\nArctic Wolf Labs has leveraged threat intelligence around GIFTEDCROOK activity to implement new detections in the\r\nArctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance our detections to\r\naccount for additional IOCs and techniques leveraged by this threat actor and the malware it employs.\r\nConclusions\r\nThe evolution of GIFTEDCROOK from a basic browser credential stealer to an intelligence collection tool represents an\r\nescalation in cyber operations targeting Ukraine. This transformation reveals insights that demand attention at strategic,\r\ntactical, and operational levels.\r\nThe timing of the campaigns discussed in this report demonstrates clear alignment with geopolitical events, particularly the\r\nrecent negotiations between Ukraine and Russia in Istanbul. The progression from simple credential theft in\r\nGIFTEDCROOK version 1, to comprehensive document and data exfiltration in versions 1.2 and 1.3, reflects coordinated\r\ndevelopment efforts where malware capabilities followed geopolitical objectives to enhance data collection from\r\ncompromised systems in Ukraine.\r\nThis level of operational capacity, combined with the threat actor’s focus on crafting lure documents using the themes of\r\nmilitary mobilization and administrative records – and sending out those lures prior to critical negotiation periods – points to\r\ncovert intelligence collection objectives that directly support diplomatic and military decision-making processes.\r\nThe progressive development demonstrated in GIFTEDCROOK’s evolution suggests this campaign will continue to adapt in\r\nthe future in response to defensive measures.\r\nAPPENDIX 1: Malicious PDF Document Lure\r\nFull Ukrainian to English Translation\r\nReserve+ Ministry of Defense of Ukraine Military-accounting document.\r\nUnified Municipal Territorial Center for Recruitment and Social Support.\r\nIn accordance with the Law of Ukraine “On Military Duty and Military Service,” conscripts, military reservists, and\r\nreservists who reached the age of 18 and by June 1, 2025, according to Resolution No. 147 dated May 30, 2025, must report\r\nto the territorial recruitment center. The reservation system has been developed and approved by the General Staff of the\r\nArmed Forces of Ukraine to increase the effectiveness of military accounting.\r\nOrganizations included in the reserve must report no later than 15 June to the nearest municipal territorial center regarding\r\nthe status of conscripts and military reservists for strict military service.\r\nFor your convenience and confidentiality, the document is posted on the MEGA portal. You can obtain access to the\r\ndocument at: hxxps://mega[.]nz/file/\r\nIf you have technical problems or need an alternative format, please contact us.\r\n* Please note that the military-accounting document is valid for the specified period under the conditions that the data\r\nindicated in it have not changed. In case of changes in the specified data, the document becomes invalid. Notify about\r\nchanges to military reservists and reservists. In case of data changes, the document loses validity.\r\nAPPENDIX 2: Indicators of Compromise (SHA-256)\r\nGIFTEDCROOK Version 1.2 Telegram IOC\r\nA6dd44c4b7a9785525e7f487c064995dc5f33522dad8252d8637f6a6deef3013\r\nGIFTEDCROOK Version 1.3\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 11 of 13\n\nB9d508d12d2b758091fb596fa8b8b4a1c638b7b8c11e08a1058d49673f93147d\r\n4e61215d2f5323942ef2cf737d6cb7c2755820796325ceef4e4b5d7e7aef2208\r\n PDF file containing a link to a malicious file\r\n1974709f9af31380f055f86040ef90c71c68ceb2e14825509babf902b50a1a4b\r\n Malicious OLE documents\r\nca2585acb9e37f5f46705f8f00d69453bfce7dc9327af0325a7ad8a88bf549a7\r\n399c0881230f6309f1fead5dae33021a40ae2a4c37edac1c24c9b4e1a0e630f9\r\nc2e920944d994ba28bc9e159491a89d83e305e63fafc4a4e25433db63800d5fa\r\nf6b03fa3ea7fd2c4490af19b3331f7ad384640083757a3cede320ca54c7b0999\r\na7a2895e4c10866967eff3ec719a2f697c859888af6482f6697e90042cb5d5b2\r\nReferential api.telegram.org Indicators\r\nTelegram IOC Version Associated Sample (SHA-2\r\nhxxps://api[.]telegram[.]org/bot7806388607:AAFb6nCE21n6YmK6-bJA6IrcLTLfhlwQ254/sendDocument\r\nBot\r\nToken\r\nv1.2\r\na6dd44c4b7a9785525e7f48\r\nhxxps://api[.]telegram[.]org/bot7726014631:AAFe9jhCMsSZ2bL7ck35PP30TwN6Gc3nzG8/sendDocument\r\nBot\r\nToken\r\nv1.3\r\nb9d508d12d2b758091fb596\r\nFile Paths and Mutexes\r\nType Indicator\r\nInstallation Path %ProgramData%\\Infomaster\\Infomaster\r\nInstallation Path %ProgramData%\\PhoneInfo\\PhoneInfo\r\nTemporary Directory C:\\Users\\%Username%\\AppData\\Local\\Temp[a-zA-Z0-9]{13}[a-zA-Z0-9]{13}\r\nAPPENDIX 3: Yara Rule \r\nrule GIFTEDCROOK_FileStealer {\r\nmeta:\r\n description = \"Rule to detect GIFTEDCROOK_FileStealer\"\r\n last_modified = \"2025-06-18\"\r\n author = \"The Arctic Wolf Labs team\"\r\n version = \"1.4\"\r\n sha256 = \"a6dd44c4b7a9785525e7f487c064995dc5f33522dad8252d8637f6a6deef3013\"\r\n sha256 = \"ff1be55fb5bb3b37d2e54adfbe7f4fbba4caa049fad665c8619cf0666090748a\"\r\n sha256 = \"d7a66fd37e282d4722d53d31f7ba8ecdabc2e5f6910ba15290393d9a2f371997\"\r\n sha256 = \"b9d508d12d2b758091fb596fa8b8b4a1c638b7b8c11e08a1058d49673f93147d\"\r\n sha256 = \"2930ad9be3fec3ede8f49cecd33505132200d9c0ce67221d0b786739f42db18a\"\r\nstrings:\r\n $a1 = \"MEZXB4whdffiufw2\" ascii wide\r\n $a2 = \"QKDBFY43DCMIEDX\" ascii wide\r\n $a3 = \"%s_delete.bat\" ascii wide\r\n $a4 = \"ALPQX418BERX91D\" ascii wide\r\n $a5 = \"Fi-cook.sqlite\" ascii wide\r\n $code1 = {8B 4C 24 64 48 8B 44 24 38 89 4C 24 30 8B 4C 24 68 89\r\n 4C 24 34 48 B9 00 40 32 7C C9 0B 00 00} // Check file condition\r\n $code2 = {41 2A C0 49 FF C0 32 04 3A 34 ?? 88 01 4D 3B C3 72 DF} // Decryption Algo\r\n $code3 = {40 53 48 83 EC 30 48 8B 05 0F B8 0B 00 48 33 C4 48 89\r\n 44 24 28 48 83 64 24 20 00 4C 8D 05 EA 08 0B 00 48 8B\r\n DA 48 8B D1 48 8D 4C 24 20 E8 E2 79 07 00 48 8B 4C 24\r\n 20 48 8D 15 D2 08 0B 00 4C 8B C3 E8 C6 EE FF FF 48 8B\r\n 4C 24 20 E8 C0 7B 07 00 48 8B 4C 24 28 48 33 CC E8 1F\r\n D6 06 00 48 83 C4 30 5B C3}\r\n $code4 = {48 89 5C 24 18 56 57 41 56 48 83 EC 40 48 8B 05 0C B5\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 12 of 13\n\n0B 00 48 33 C4 48 89 44 24 38 0F 10 05 0D 06 0B 00 0F\r\n B7 05 16 06 0B 00 4C 8B F2 48 8D 54 24 20 66 89 44 24\r\n 30 0F 11 44 24 20 E8 57 E2 06 00 48 8B F0 48 83 C9 FF\r\n 48 8D 44 24 20 48 FF C1 80 3C 08 00 75 F7 48 03 F1 48\r\n 8D 15 E4 05 0B 00 48 8B CE E8 30 E2 06 00 48}\r\n $code5 = {48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78\r\n 20 41 56 48 83 EC 30 33 ED 48 8B F9 48 85 C9 0F 84 60\r\n 01 00 00 66 39 29 0F 84 57 01 00 00 B9 90 04 00 00 E8\r\n C2 39 07 00 48 8B D8 48 85 C0 0F 84 4B 01 00 00 49 83\r\n CE FF 48 89 A8 88 04 00 00 45 33 C9 4C 89 B0 80 04 00\r\n 00 45 33 C0 48 89 A8 78 04 00 00 33 D2 48 8B CF FF 15\r\n 78 F1 08 00 8B C8 48 03 C9 8B F0 48 83 C1 10 49 0F 42\r\n CE E8 78 39 07 00 48 89 83 88 04 00 00 48 85 C0 0F 84\r\n B7 00 00 00 45 33 C9 4C 8B C0 8B D6 48 8B CF FF 15 43\r\n F1 08 00 85 C0 0F 84 9E 00 00 00 8B C8 8D 7D 02 48 8B\r\n 83 88 04 00 00 48 8D 14 48 66 83 7A FE 2F 74 16 66 83\r\n 7A FE 3A 74 0F 8D 45 5C 66 39 42 FE 74 06 66 89 02 48\r\n 03 D7 C7 02 2A 00 00 00 48 8D B3 28 02 00 00 48 8B 8B\r\n 88 04 00 00 4C 8B C6 89 6C 24 28 45 33 C9 33 D2 48 89\r\n 6C 24 20 FF 15 FB EE 08 00 48 89 83 80 04 00 00 49 3B\r\n C6 75 62 89 AB 78 04 00 00 C7 83 7C 04 00 00 01 00 00\r\n 00 FF 15 19 EF 08 00 83 F8 03 74 18 83 F8 05 74 0E 3D\r\n 0B 01 00 00 75 0C BF 14 00 00 00 EB 05 BF 0D 00 00 00\r\n 8B CF E8 5D 2B 07 00 48 8B 8B 80 04 00 00 49 3B CE 74}\r\n $code6 = {0F 28 05 ?? C0 0A 00 0F 29 85 20 04 00 00 F2 0F 10 05\r\n ?? C0 0A 00 0F 29 8D 10 04 00 00 0F 28 0D ?? C0 0A 00}\r\ncondition:\r\nuint16(0) == 0x5A4D and filesize \u003c 1MB and ((3 of ($a*)) or (any of ($code*)))\r\n}\r\nAbout Arctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore\r\nsecurity topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat\r\ndetection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale,\r\nand detection efficacy of Arctic Wolf’s solution offerings.\r\nArctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security\r\ncommunity at large.\r\nSource: https://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nhttps://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/"
	],
	"report_names": [
		"giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform"
	],
	"threat_actors": [
		{
			"id": "4ca9564c-9ccf-4d82-8721-5d57f6801d0d",
			"created_at": "2025-05-29T02:00:03.20861Z",
			"updated_at": "2026-04-10T02:00:03.863186Z",
			"deleted_at": null,
			"main_name": "UAC-0226",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0226",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434958,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7500a287a4e7a91cd568c27c1b209f0f26c0bb10.pdf",
		"text": "https://archive.orkl.eu/7500a287a4e7a91cd568c27c1b209f0f26c0bb10.txt",
		"img": "https://archive.orkl.eu/7500a287a4e7a91cd568c27c1b209f0f26c0bb10.jpg"
	}
}