Obfuscation Without Effort: Breaking a GIFTEDCROOK Stealer
Essential information
- Published
- 13/04/2026 17:03
- Modified
- 13/04/2026 15:18
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cve-2025-6218 cve-2025-8088 data exfiltration giftedcrook phishing campaign powershell payload rc4 encryption stealer ukraine targeting winrar exploitation
- Tags
- 2026-04-13 CVE-2025-6218 CVE-2025-8088 data exfiltration giftedcrook phishing campaign powershell payload rc4 encryption stealer ukraine targeting winrar exploitation
- Related entities
- 2 vulnerabilities (cve), 4 indicators, 4 observables, 1 intrusion sets (apt), 20 techniques (mitre), 1 malware, 2 others
Description
A fresh GIFTEDCROOK stealer variant was identified as part of a UAC-0226 campaign targeting Ukraine. Initial access leverages CVE-2025-6218 and CVE-2025-8088 through a weaponized RAR archive containing a decoy PDF themed around military registry information. The attack chain uses an LNK file to execute obfuscated PowerShell code that decodes and deploys the payload. The stealer employs RC4 encryption for data protection, chunks exfiltration into 133KB segments, and uses runtime-reconstructed C2 communication. Despite heavy obfuscation including useless function calls, random variables, and noise, the malware follows a straightforward execution flow: generating seed cookies, dispatching functions, encrypting data with RC4 using the key 'JtyIQxPND8G', and exfiltrating stolen information via HTTP to the command-and-control server. The architecture demonstrates effective simplicity rather than sophisticated complexity.