Cybersecurity experts have uncovered an alarming escalation in cyber-espionage operations targeting Ukrainian critical sectors, as outlined in CERT-UA’s latest alert, CERT-UA#14303.
The campaign, attributed to the UAC-0226 hacking group, leverages a sophisticated C/C++-based stealer called GIFTEDCROOK to infiltrate systems, steal sensitive data, and exfiltrate it via covert channels.
The operation has been active since February 2025, with a primary focus on Ukrainian military innovation hubs, armed forces, law enforcement bodies, and regional government institutions, particularly those near the country’s eastern border.
.png
)
Stealthy Infection Chain Exploiting Phishing
The UAC-0226 group employs classic phishing tactics to initiate the infection process.
Malicious emails are distributed via compromised accounts, deploying macro-enabled Excel files (.xlsm) as weaponized attachments.
These documents use socially-engineered lure topics, such as landmine clearance, drone production, compensation for damaged property, and administrative fines, to entice targets into opening them.
These Excel files conceal base64-encoded payloads within seemingly harmless cells, which are executed when embedded macros are triggered.
The macros decode the payload into executable files that are saved without file extensions and executed on the victim’s system, bypassing basic security controls. Such tactics allow attackers to infiltrate systems with minimal detection.
GIFTEDCROOK: A Data-Stealing Threat
The CERT-UA#14303 alert identifies two distinct malware variants utilized in these espionage campaigns.
The first is a .NET-based tool embedding a PowerShell reverse shell script, sourced from the public GitHub repository PSSW100AVB.
The second, and more advanced, is GIFTEDCROOK, a C/C++-based stealer designed to harvest sensitive browser-related data such as cookies, browsing history, and saved credentials from browsers including Chrome, Edge, and Firefox.
Once collected, the data is compressed using PowerShell’s Compress-Archive cmdlet and exfiltrated using Telegram as a communication channel.
This mechanism ensures the stolen data is transmitted discreetly while bypassing conventional network monitoring defenses, often using DNS queries to abuse Telegram’s services as a command-and-control (C2) mechanism.
To counter these attacks, cybersecurity professionals are advised to strengthen their defenses by implementing detection and hunting solutions.
The SOC Prime Platform offers a collection of Sigma rules tailored to address the tactics and techniques employed by UAC-0226, aligning with the MITRE ATT&CK® framework.
These rules are compatible with various SIEM, EDR, and Data Lake solutions, providing actionable intelligence to detect adversarial activity.
According to the Report, Security teams can explore the SOC Prime Detection-as-Code platform using tags such as “CERT-UA#14303” and “UAC-0226” to locate relevant content.
Additionally, Uncoder AI, a private AI solution for detection engineering, can convert indicators of compromise (IOCs) from the CERT-UA alert into actionable queries, enabling defenders to proactively monitor SIEM or EDR systems for suspicious activity linked to UAC-0226.
The latest UAC-0226 campaign leverages multiple MITRE ATT&CK techniques to achieve persistent access and exfiltration.
These include spear-phishing attachments (T1566.001) for initial access, command and scripting interpreter abuse using PowerShell and Visual Basic (T1059.001 and T1059.005) for execution, and compressed data exfiltration over web services (T1567).
Sigma rules specifically address these techniques, enabling defenders to detect suspicious behavior across their environments.
Given that phishing emails often originate from compromised accounts, system administrators are urged to scrutinize email and web server logs for anomalies.
Reviewing and enhancing email security policies, such as strict attachment scanning, and implementing multi-factor authentication (MFA) for email accounts are critical steps.
Additionally, proactive employee awareness training can help mitigate the risk posed by malicious attachments.
With cyber-espionage activity escalating in the region, particularly targeting Ukraine, continuous vigilance and effective use of detection technologies are paramount in disrupting attackers’ operations.
As adversaries like UAC-0226 refine their tactics, technical defenses and collaboration within the global cybersecurity community will play an essential role in safeguarding critical sectors.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
