(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Have questions like this:

• giftedcrook?
• What are the specific Indicators of Compromise (IoCs) associated with GIFTEDCROOK infections?
• Are there any known overlaps or shared infrastructure between UAC-0226 and other threat groups targeting Ukraine?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

TL;DR

Key Points

1. • UAC-0226 is conducting targeted cyber-espionage against Ukrainian military, law enforcement, and government entities, leveraging spear-phishing with macro-enabled Excel and signed RDP files.
   • Defenders should prioritize advanced phishing detection, user training, and EDR solutions tuned for GIFTEDCROOK behaviors and Telegram-based exfiltration.
2. • GIFTEDCROOK malware has rapidly evolved from a browser data stealer to a multi-functional intelligence platform, now exfiltrating a broad range of sensitive files via encrypted Telegram bot channels.
   • Network monitoring for Telegram API traffic and strict access controls are critical to detect and contain ongoing intrusions.
3. • Campaigns are closely aligned with Ukrainian geopolitical events, such as peace negotiations and martial law extensions, indicating strategic timing and adaptive social engineering.
   • Security teams should anticipate lures themed around current military and administrative developments and prepare incident response plans accordingly.

Executive Summary

UAC-0226, a threat cluster tracked by CERT-UA has intensified cyber-espionage operations against Ukrainian military, law enforcement, and government institutions since early 2025. The group’s campaigns are tightly coupled with key geopolitical events, exploiting periods of heightened tension and administrative change to maximize impact.

The primary infection vectors are spear-phishing emails containing macro-enabled Excel attachments and signed RDP files, often themed around military mobilization and administrative fines. These lures are contextually tailored to Ukraine’s ongoing conflict and political climate, increasing their effectiveness.

Central to UAC-0226’s toolkit is the GIFTEDCROOK malware, which has evolved from a basic browser data stealer to a sophisticated intelligence-gathering platform. Recent versions (v1.3) feature targeted file collection (including .docx, .pdf, .ovpn), sleep evasion, and encrypted exfiltration via Telegram bot APIs. This technical evolution, combined with stealthy exfiltration methods, poses significant detection and response challenges.

The group’s operations have resulted in the compromise of sensitive data, including administrative documents and VPN configurations, potentially enabling persistent access and further intrusions. While explicit nation-state attribution remains unconfirmed, UAC-0226’s TTPs and targeting patterns are consistent with state-sponsored espionage.

Defensive recommendations include advanced phishing detection, continuous user awareness training, EDR deployment with behavioral detection for GIFTEDCROOK, network segmentation, and monitoring for Telegram-based exfiltration. Incident response plans should be tailored to espionage scenarios, with rapid containment and forensic capabilities.

Looking ahead, UAC-0226 is expected to further enhance GIFTEDCROOK’s capabilities, expand targeting, and refine social engineering in alignment with Ukraine’s evolving geopolitical landscape. Security teams should remain vigilant for new malware variants, increased phishing activity, and signs of lateral movement facilitated by RDP access. Proactive threat hunting, cross-agency intelligence sharing, and adoption of robust cybersecurity frameworks are essential to counter this persistent and adaptive threat.

Research & Attribution

Historical Context

UAC-0226 is a cyber-espionage group identified by the Computer Emergency Response Team of Ukraine (CERT-UA) as active since early 2025. The group intensified operations during Ukraine's peace negotiations and martial law extensions in 2025, leveraging heightened tensions and administrative changes to conduct targeted espionage.

Timeline

• Early 2025:
  • UAC-0226 begins campaigns targeting Ukrainian military, law enforcement, and government institutions.
  • Deployment of GIFTEDCROOK malware via spear-phishing with macro-enabled Excel files and malicious RDP files.
• Mid-2025:
  • GIFTEDCROOK evolves from a browser data stealer to a comprehensive intelligence-gathering platform.
  • Campaigns align with Ukraine's peace negotiations and martial law extensions, increasing targeting intensity.

Origin

UAC-0226 is attributed by CERT-UA to a threat cluster focused on Ukrainian institutions. The group employs sophisticated social engineering and malware techniques consistent with state-sponsored cyber-espionage actors, though explicit nation-state attribution remains unconfirmed. CERT-UA states, "The activity is aimed at military formations, law enforcement agencies, and local self-government bodies, particularly those located near Ukraine's eastern border." Attribution is based on observed TTPs and targeting patterns, with no direct public confirmation of a sponsoring nation.

Countries Targeted

1. Ukraine – Primary target, focusing on military, law enforcement, and government sectors amid geopolitical tensions. As of July 2025, other targets are not publicly documented.

Sectors Targeted

1. Military – Targeted for intelligence on defense operations and mobilization.
2. Law Enforcement – Targeted for insights into internal security and policing.
3. Government – Targeted for administrative and policy-related intelligence.
4. Local Government – Especially in eastern Ukraine, to monitor regional governance.

Motivation

UAC-0226 is motivated by cyber-espionage, aiming to gather intelligence to influence or gain advantage in Ukraine's ongoing conflict and political negotiations. The group seeks sensitive information from military and government entities to support strategic decision-making by their sponsors.

Attack Types

• Spear-phishing with macro-enabled Excel attachments and PDF lures referencing military mobilization and administrative topics.
• Use of signed Remote Desktop Protocol (RDP) files to establish stealthy remote access.
• Deployment of GIFTEDCROOK malware, which evolved from a browser data stealer to a multi-functional intelligence-gathering tool.
• Exfiltration of stolen data via Telegram bot channels.
• Social engineering tailored to Ukrainian geopolitical and military contexts.

Technical Evolution of GIFTEDCROOK Malware

• Version 1.0: Stole browser data such as cookies, login data, and browsing history from Chrome, Edge, and Firefox.
• Version 1.2: Expanded to targeted file collection based on extensions and modification dates, with encrypted archives for exfiltration.
• Version 1.3: Combined previous capabilities, increased file modification window to 45 days, added sleep evasion techniques, and enhanced exfiltration via Telegram bots.

The malware uses social engineering lures themed around military conscription and administrative fines, exploiting the heightened mobilization context in Ukraine. Exfiltration via Telegram bot channels is notable for stealth and operational security.

Impact on Ukrainian Institutions

The campaigns have compromised sensitive data from Ukrainian military, law enforcement, and government bodies, potentially undermining operational security and strategic decision-making. The theft of OpenVPN configurations and administrative documents suggests the threat actor aims to maintain persistent access and conduct further intrusions.

Known Overlaps or Coordination

No direct links to other APT groups have been publicly confirmed. However, CERT-UA tracks similar clusters such as UAC-0219 and UAC-0200 targeting Ukraine with comparable tactics, indicating a multi-group threat environment. Shared email infrastructure with other malware campaigns suggests possible operational overlaps or coordinated targeting efforts.

Recommendations for Strategic Defense and Policy Responses

• Implement advanced phishing detection and user training focused on macro-enabled attachments and RDP file risks.
• Deploy Endpoint Detection and Response (EDR) solutions capable of detecting GIFTEDCROOK behaviors and anomalous RDP activity.
• Monitor network traffic for Telegram API communications indicative of data exfiltration.
• Enforce network segmentation and strict access controls to limit lateral movement.
• Foster collaboration between CERT-UA, allied cybersecurity agencies, and private sector partners for intelligence sharing.
• Conduct regular internal phishing simulations and promote a culture of security awareness.
• Adopt cybersecurity frameworks such as NIST Cybersecurity Framework and CIS Controls to guide defense measures.
• Prepare incident response plans tailored to espionage campaigns with rapid containment and forensic capabilities.

Similar Threat Actor Groups

1. UAC-0219 – CERT-UA tracked cluster targeting Ukrainian institutions with similar phishing and malware tactics.
2. UAC-0200 – CERT-UA tracked cluster with cyber espionage operations against Ukrainian critical infrastructure and government.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)