GIFTEDCROOK’s Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations

Arctic Wolf Labs documents GIFTEDCROOK—an evolving infostealer attributed to UAC-0226—detailing its progression from browser credential theft to targeted document and browser-secret exfiltration (v1 → v1.2 → v1.3). The campaign uses spear‑phishing PDFs that link to OLE/macro lures, drops PE implants that collect files (filtered by extension, size, and modification date), encrypts archives, and exfiltrates to Telegram bots; the report includes hashes, Telegram bot tokens, file paths, a YARA rule, and recommended detections and mitigations.