Hackers Are Using Macros and Telegram to Steal Data from Government Organizations in Ukraine

CERT-UA, the Ukrainian cybersecurity watchdog, has issued a warning about a highly sophisticated espionage campaign aimed at military innovation centers, law enforcement bodies, and local government offices across Ukraine.

The suspected threat actor, tracked as UAC-0226, has been trying to push fake government-themed documents. The goal is simple: to deliver malware designed to exfiltrate information through Telegram and remote command-and-control (C2) servers.

According to CERT-UA, the campaign has been active since at least February of this year and uses social engineering and malicious Excel macros to deploy a stealer known as GIFTEDCROOK.

Macros with a Mission

The attackers start by sending phishing emails that look like real messages from Ukrainian governmental institutions. The purported email topics include administrative fines, UAV (unmanned aerial vehicle) product catalogs, demining plans, and compensation reports for destroyed property.

The trick is that each email contains an .xlsm file (a macro-enabled Excel spreadsheet), which has embedded Visual Basic for Applications (VBA) macros. Users are asked to enable macros and run the file.

If the target does so, these macros decode base64-encoded strings hidden in spreadsheet cells. The decoded content is written to disk as an executable file without a visible extension, which helps the attackers avoid detection.

The fake Excel documents observed in this campaign include filenames such as:

• Defender ARMY (2).xlsm
• Administrative fines 31.03 of employees.xlsm
• Compensation for destroyed property.xlsm

GIFTEDCROOK in Action

Once launched, the macro drops a file into a hidden directory like %PROGRAMDATA%\Svchost\ and executes it. CERT-UA identified two distinct payload types:

1. PowerShell Reverse Shell

A .NET-based executable runs the PowerShell script kpbkewf32mm.ps1 that immediately connects to a C2 server, opening a reverse shell. This permits attackers to execute commands on the infected computer remotely.

2. GIFTEDCROOK Stealer

Written in C/C++, this malware extracts browser data from Chrome, Firefox, and Edge—including cookies, saved passwords, and browsing history. Everything is compressed and sent to the attacker via Telegram or over the Internet.

Sample stealer storage locations include:

• %PROGRAMDATA%\Windows Telemetry\
• %PROGRAMDATA%\SysAnalyzer\
• %TMP%\nmpoyqv5l0ig\status.zip

CERT-UA has urged organizations and companies to take the following steps:

• Audit email and web server logs for unauthorized access or email activity
• Disable macro execution by default
• Isolate and inspect systems
• Monitor outbound traffic for signs of unauthorized compression or upload behavior