Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 1 CVE

GIFTEDCROOK

GIFTEDCROOK is a C/C++ information stealer used in cyber-espionage operations attributed to the Russia-aligned cluster UAC-0226, also tracked as Shadow-Earth-066, against Ukrainian targets. Reported victim sectors include military innovation hubs, armed forces units, law enforcement entities, and regional/state government institutions, particularly near Ukraine’s eastern border.

Observed delivery includes phishing emails with macro-enabled Excel (.xlsm) attachments using topical lures such as landmine clearance, administrative fines, drone production, and compensation for damaged property. The malicious spreadsheets contained base64-encoded payloads in cells; embedded macros decoded the payload, wrote an executable without a file extension, and launched it. Separate reporting also states UAC-0226 deployed updated GIFTEDCROOK samples via weaponized email campaigns exploiting the WinRAR path traversal vulnerability CVE-2025-8088 using malicious archives and Startup-folder placement.

GIFTEDCROOK is described as stealing browser data from Chrome, Microsoft Edge, and Mozilla Firefox, including saved credentials, cookies, browsing history, browser passwords, and session cookies. Reporting also states it targets VPN credentials, Telegram data, and documents/files, including files matching 35 extensions. Stolen data is archived using PowerShell Compress-Archive and exfiltrated via Telegram, including to a hacker-controlled Telegram chat. One report states the malware deletes itself from the compromised system after collecting credentials and documents.

Associated campaign activity also included deployment alongside a reverse shell/.NET tool embedding a PowerShell reverse shell script sourced from the public GitHub repository PSSW100AVB. High-confidence ATT&CK-relevant behaviors mentioned in the source material include spearphishing attachment delivery, PowerShell use, archive collected data, and exfiltration over web services via Telegram.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-8088WinRAR for Windows Path Traversal via NTFS Alternate Data StreamsExploited in the wild

At least two Russia-aligned threat clusters have exploited a high-severity WinRAR flaw ... tracked as CVE-2025-8088 ... patched in WinRAR 7.13 in July 2025. CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR that allows attackers to execute arbitrary code. | Shadow-Earth-066 — tracked as UAC-0226 by Ukraine's Computer Emergency Response Team (CERT-UA) — used the vulnerability to deploy an updated version of the GiftedCrook information stealer, which collects credentials and documents and then deletes itself from the compromised system.

via dark readingdarkreading.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Shadow-Earth-066

Shadow-Earth-066 — tracked as UAC-0226 by Ukraine's Computer Emergency Response Team (CERT-UA) — used the vulnerability to deploy an updated version of the GiftedCrook information stealer, which collects credentials and documents and then deletes itself from the compromised system.

via dark readingdarkreading.com
UAC-0226

Shadow-Earth-066 — tracked as UAC-0226 by Ukraine's Computer Emergency Response Team (CERT-UA) — used the vulnerability to deploy an updated version of the GiftedCrook information stealer, which collects credentials and documents and then deletes itself from the compromised system.

via dark readingdarkreading.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1078Valid AccountsEvidence1

In at least one case, attackers used stolen credentials purchased from access brokers on darknet forums to move directly into targeted environments. This approach cuts the time between initial access and active exploitation, bypassing traditional phishing entirely.

T1566.001Spearphishing AttachmentEvidence1

both begin with weaponized emails ... Shadow-Earth-066 ... emails targets with lures that use military or government-related topics relevant to Ukraine with a malicious RAR archive included. ... Earth Dahu ... sends a spear-phishing email from a compromised government account that includes a weaponized archive containing documents crafted to appear legitimate.

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1

CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR that allows attackers to execute arbitrary code. ... both Shadow-Earth-066 and Earth Dahu use different approaches to exploit CVE-2025-8088.

Persistence

3 techniques
T1078Valid AccountsEvidence1

In at least one case, attackers used stolen credentials purchased from access brokers on darknet forums to move directly into targeted environments. This approach cuts the time between initial access and active exploitation, bypassing traditional phishing entirely.

T1547.001Registry Run Keys / Startup FolderEvidence1

The archive abuses the WinRAR path traversal flaw so attackers can place a malicious shortcut (LNK) or payload in a Windows Startup location ... attackers can craft malicious archive files that write files ... into Windows Startup locations that enable code execution after login.

T1547.009Shortcut ModificationEvidence1

The archive abuses the WinRAR path traversal flaw so attackers can place a malicious shortcut (LNK) or payload in a Windows Startup location using NTFS Alternate Data Streams.

Privilege Escalation

3 techniques
T1078Valid AccountsEvidence1

In at least one case, attackers used stolen credentials purchased from access brokers on darknet forums to move directly into targeted environments. This approach cuts the time between initial access and active exploitation, bypassing traditional phishing entirely.

T1547.001Registry Run Keys / Startup FolderEvidence1

The archive abuses the WinRAR path traversal flaw so attackers can place a malicious shortcut (LNK) or payload in a Windows Startup location ... attackers can craft malicious archive files that write files ... into Windows Startup locations that enable code execution after login.

T1547.009Shortcut ModificationEvidence1

The archive abuses the WinRAR path traversal flaw so attackers can place a malicious shortcut (LNK) or payload in a Windows Startup location using NTFS Alternate Data Streams.

Stealth

3 techniques
T1070.004File DeletionEvidence1

Shadow-Earth-066 ... used the vulnerability to deploy an updated version of the GiftedCrook information stealer, which collects credentials and documents and then deletes itself from the compromised system.

T1078Valid AccountsEvidence1

In at least one case, attackers used stolen credentials purchased from access brokers on darknet forums to move directly into targeted environments. This approach cuts the time between initial access and active exploitation, bypassing traditional phishing entirely.

T1564.004NTFS File AttributesEvidence1

The archive abuses the WinRAR path traversal flaw so attackers can place a malicious shortcut (LNK) or payload in a Windows Startup location using NTFS Alternate Data Streams.

Credential Access

2 techniques
T1539Steal Web Session CookieEvidence1

GiftedCrook ... harvests browser passwords, session cookies, and files matching 35 extensions.

T1555Credentials from Password StoresEvidence1

GiftedCrook, a stealer designed for rapid credential and document theft that harvests browser passwords, session cookies, and files matching 35 extensions.

Collection

1 technique
T1005Data from Local SystemEvidence1

GiftedCrook information stealer, which collects credentials and documents ... harvests browser passwords, session cookies, and files matching 35 extensions.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
dark readingNews
Jun 9, 2026
Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs

An information stealer used to rapidly harvest credentials and documents, including browser passwords, session cookies, and files matching multiple extensions, after exploitation of the WinRAR flaw.

Read more
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Stealer targeting VPN credentials and Telegram data.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Information-stealing malware delivered via malicious Excel files in phishing emails targeting Ukrainian institutions.

Read more
securityaffairsNews
Oct 10, 2025
Ukraine sees surge in AI-Powered cyberattacks by Russia-linked Threat Actors

GIFTEDCROOK is a stealer malware that extracts browser data and exfiltrates it via Telegram to threat actors.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.