CERT-UA, the Ukrainian cybersecurity watchdog, has issued a warning about a highly sophisticated espionage campaign aimed at military innovation centers, law enforcement bodies, and local government offices across Ukraine.
The suspected threat actor, tracked as UAC-0226, has been trying to push fake government-themed documents. The goal is simple: to deliver malware designed to exfiltrate information through Telegram and remote command-and-control (C2) servers.
According to CERT-UA, the campaign has been active since at least February of this year and uses social engineering and malicious Excel macros to deploy a stealer known as GIFTEDCROOK.
The attackers start by sending phishing emails that look like real messages from Ukrainian governmental institutions. The purported email topics include administrative fines, UAV (unmanned aerial vehicle) product catalogs, demining plans, and compensation reports for destroyed property.
The trick is that each email contains an .xlsm file (a macro-enabled Excel spreadsheet), which has embedded Visual Basic for Applications (VBA) macros. Users are asked to enable macros and run the file.
If the target does so, these macros decode base64-encoded strings hidden in spreadsheet cells. The decoded content is written to disk as an executable file without a visible extension, which helps the attackers avoid detection.
The fake Excel documents observed in this campaign include filenames such as:
Once launched, the macro drops a file into a hidden directory like %PROGRAMDATA%\Svchost\ and executes it. CERT-UA identified two distinct payload types:
1. PowerShell Reverse Shell
A .NET-based executable runs the PowerShell script kpbkewf32mm.ps1 that immediately connects to a C2 server, opening a reverse shell. This permits attackers to execute commands on the infected computer remotely.
2. GIFTEDCROOK Stealer
Written in C/C++, this malware extracts browser data from Chrome, Firefox, and Edge—including cookies, saved passwords, and browsing history. Everything is compressed and sent to the attacker via Telegram or over the Internet.
Sample stealer storage locations include:
CERT-UA has urged organizations and companies to take the following steps:
tags
Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between.
View all postsMarch 12, 2025
February 20, 2025
February 11, 2025
December 24, 2024