GIFTEDCROOK’s Strategic Pivot From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations

Analysis of early files from February 2025 suggests that the GIFTEDCROOK project began as a demo during that period. It subsequently matured and was put into production in March 2025, with new capabilities continuously being developed and added since then.

Recent campaigns in June 2025 demonstrate GIFTEDCROOK’s enhanced ability to exfiltrate a broad range of sensitive documents from the devices of targeted individuals, including potentially proprietary files and browser secrets. This shift in functionality, combined with the content of its phishing lures, coupled with observed attack timings coinciding with critical geopolitical events such as June’s Ukraine peace negotiations hosted in Istanbul, suggests a strategic focus on intelligence gathering from Ukrainian governmental and military entities.

Of additional interest is the fact we’ve observed a shared email infrastructure with other malware campaigns, indicating a multi-pronged approach by different threat groups targeting Ukraine.

Key Findings:

• Versions: We found three evolutionary versions of GIFTEDCROOK between April-June 2025
• Primary delivery mechanism: Spear-phishing emails with military-themed PDF lures
• Targets: Ukrainian governmental and military institutions
• Data exfiltration: Telegram bot channels
• Infrastructure: Email delivery infrastructure overlaps with other groups’ operations

To read the complete article see: GIFTEDCROOK Strategic Pivot.