UAC-0226, a cyber-espionage group known for its targeting of Ukrainian military, law enforcement, and local government entities, has upgraded its info-stealing malware Giftedcrook with intelligence gathering capabilities, according to a new report from cybersecurity firm Arctic Wolf.
The Computer Emergency Response Team of Ukraine (CERT-UA) first flagged Giftedcrook on April 4, 2025, and subsequent findings now confirm that the malware is part of a broader, coordinated digital espionage campaign that may involve multiple threat actors.
Giftedcrook was first observed in early development as a demo in February 2025 but quickly matured and was put in production by March. Since then, it has undergone continuous updates, with three distinct versions identified between April and June 2025.
While original version of Giftedcrook focused on browser data theft, the next variant, version 1.2, introduced file system access, encrypted communications, and archive encryption. Version 1.3, the most recent and sophisticated, includes targeted search of files modified in the last 45 days, suggesting a clear focus on obtaining fresh intelligence.
V1.3 comes with expanded ability to exfiltrate a wide range of sensitive files, including recent documents, browser secrets, and potentially classified data from the systems of high-value targets. The malware’s deployment aligns closely with major geopolitical events, including the June 2 Ukraine peace negotiations in Istanbul.
The campaign involves spear-phishing emails with military mobilization and administrative fine themes. The malware’s infection chain typically begins with spoofed email addresses based in Uzhhorod and other Ukrainian cities, and contains PDF attachments linked to malicious cloud services.
In some observed campaigns, victims were led to download JavaScript files that deployed NetSupport RAT, a stealthy remote access tool known for its evasion of antivirus software and data theft capabilities.
Further investigation shows that the phishing campaigns strategically exploited Ukraine’s ongoing mobilization period, exploiting societal and military stress points to enhance the credibility and success rate of the lures.
