CyberSecurity news
FlagThis
SC Staff@scmagazine.com
//
A new cyberespionage campaign, attributed to the hacking group UAC-0226, is actively targeting Ukrainian organizations. The campaign, ongoing since February 2025, focuses on stealing sensitive information from military formations, law enforcement agencies, and local government bodies, particularly those near the country's eastern border with Russia. The hackers are exploiting trust by impersonating Ukrainian state agencies and drone manufacturers in their attacks.
The UAC-0226 group employs spear-phishing tactics, using malicious Microsoft Excel files (.xlsm) as the primary attack vector. These files often reference sensitive topics such as landmine clearance, administrative fines, drone production, and compensation for destroyed property. When opened and macros are enabled, the files deploy malware, including a PowerShell script and a new stealer malware dubbed GIFTEDCROOK. GIFTEDCROOK is designed to steal browser data like cookies, browsing history, and saved passwords from Chrome, Edge, and Firefox, before exfiltrating it via Telegram.
CERT-UA (Computer Emergency Response Team of Ukraine) has issued warnings and recommendations to remain vigilant against these attacks. They advise system administrators and security teams to enhance email and web server log monitoring to identify and mitigate malicious activity, especially phishing attempts originating from compromised accounts. CERT-UA has been tracking this activity since February, but has not yet attributed the campaign to any known hacker group.
ImgSrc: files.cyberrisk
References :
The UAC-0226 group employs spear-phishing tactics, using malicious Microsoft Excel files (.xlsm) as the primary attack vector. These files often reference sensitive topics such as landmine clearance, administrative fines, drone production, and compensation for destroyed property. When opened and macros are enabled, the files deploy malware, including a PowerShell script and a new stealer malware dubbed GIFTEDCROOK. GIFTEDCROOK is designed to steal browser data like cookies, browsing history, and saved passwords from Chrome, Edge, and Firefox, before exfiltrating it via Telegram.
CERT-UA (Computer Emergency Response Team of Ukraine) has issued warnings and recommendations to remain vigilant against these attacks. They advise system administrators and security teams to enhance email and web server log monitoring to identify and mitigate malicious activity, especially phishing attempts originating from compromised accounts. CERT-UA has been tracking this activity since February, but has not yet attributed the campaign to any known hacker group.
ImgSrc: files.cyberrisk
Share:
References :
- The Hacker News: UAC-0226 Deploys GIFTEDCROOK Stealer via Malicious Excel Files Targeting Ukraine
- www.scworld.com: Ukraine subjected to new cyberespionage campaign
- The Record: Hackers impersonating drone manufacturers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, close to Russia.
- therecord.media: Hackers impersonating drone manufacturers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, close to Russia.
- cyberpress.org: GIFTEDCROOK: New Stealer Malware Hits Government Agencies to Steal Sensitive Data
Classification:
- HashTags: #CyberEspionage #Ukraine #Malware
- Company: CERT-UA
- Target: Ukrainian Organizations
- Attacker: UAC-0226
- Product: Excel
- Feature: Malware Deployment
- Malware: GIFTEDCROOK
- Type: Espionage
- Severity: Medium