Ukraine's Cyber Emergency Response Team (CERT-UA) reported it has been closely monitoring a series of targeted cyber espionage activities, since February 2025. The primary focus of this campaign is espionage against Ukraine's innovation hubs in the military sector, as well as various government and law enforcement agencies, especially those operating along the country's eastern border.
The initial compromise occurs through phishing emails containing malicious attachments, specifically Excel spreadsheets (XLS files with macros, labeled with the ".xlsm" extension). The subject lines or titles of the emails may reference issues such as landmine clearance, administrative fines, drone manufacturing, compensation for destroyed property, and more. The documents contain base64-encoded payloads stored within Excel cells, with a macro designed to decode the strings into executable files. Once decoded, the files are saved to the victim’s computer without an extension and are executed automatically.
As of April 2025, two types of malware have been observed as part of the espionage campaign. The first is a .NET-based tool that stores a PowerShell script functioning as a reverse shell, which was sourced from a public GitHub repository (PSSW100AVB). The second piece of malware is classified as GIFTEDCROOK, an info-stealer written in C/C++ that, among its various functions, retrieves and archives sensitive data from popular web browsers such as Chrome, Edge, and Firefox. This includes browser cookies, browsing history, and saved authentication credentials, which are then compressed using the PowerShell Compress-Archive cmdlet and exfiltrated via Telegram.
This targeted cyber espionage activity is being tracked under the identifier UAC-0226. The phishing emails are being sent from compromised email accounts, including through webmail interfaces, according to CERT-UA.