From Browser Stealer to Intelligence-Gathering Tool

Jun 28, 2025Ravie LakshmananMalware / Cyber Warfare

The GIFTEDCROOK malware has evolved into a sophisticated intelligence-gathering tool, showcasing enhanced capabilities to extract sensitive documents from targeted devices.

Recent campaigns in June 2025 highlight GIFTEDCROOK’s advanced exfiltration abilities, posing a significant threat to Ukrainian governmental and military entities, according to a report by Arctic Wolf Labs.

Originally identified by CERT-UA in April 2025, GIFTEDCROOK has been utilized in phishing campaigns targeting military and law enforcement organizations, leveraging macro-laced Excel documents to deploy the malware.

With versions 1.2 and 1.3, GIFTEDCROOK can now extract documents below 7 MB in size, targeting specific file extensions and focusing on recent files. The malware is adept at stealing cookies, browsing history, and authentication data from various web browsers.

Through military-themed PDF lures, the malware entices users to download malicious Excel workbooks, enabling the exfiltration of stolen data to an attacker-controlled Telegram channel in discreet chunks to evade detection.

This shift underscores a shift towards cyber espionage, emphasizing the importance of safeguarding sensitive information and recognizing the evolving tactics employed by threat actors.

Arctic Wolf’s analysis highlights the correlation between GIFTEDCROOK’s functionality upgrades and geopolitical events, signaling a strategic alignment with data collection initiatives in Ukraine.