{ "Event": { "analysis": "1", "date": "2026-04-09", "extends_uuid": "", "info": "[Threat Intel] Obfuscation Without Effort: Breaking a GIFTEDCROOK Stealer", "protected": false, "publish_timestamp": "1776462983", "published": true, "threat_level_id": "2", "timestamp": "1776462983", "uuid": "cbc0930f-eecd-4554-ac35-ba4cf777699f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#f4b62b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Time Based Checks - T1497.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive Collected Data - T1560\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e4d611", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"UAC-0226\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"150 - Europe\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"GIFTEDCROOK\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135627", "to_ids": false, "type": "link", "uuid": "c51e89f9-40ba-45c7-9817-f4a6c21b90f8", "value": "https://blog.synapticsystems.de/obfuscation-without-effort-breaking-a-uac-0226-giftedcrook-stealer/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776135627", "to_ids": false, "type": "text", "uuid": "a94535c3-53bc-453c-b5bf-494ac6876b33", "value": "A fresh GIFTEDCROOK stealer variant was identified as part of a UAC-0226 campaign targeting Ukraine. Initial access leverages CVE-2025-6218 and CVE-2025-8088 through a weaponized RAR archive containing a decoy PDF themed around military registry information. The attack chain uses an LNK file to execute obfuscated PowerShell code that decodes and deploys the payload. The stealer employs RC4 encryption for data protection, chunks exfiltration into 133KB segments, and uses runtime-reconstructed C2 communication. Despite heavy obfuscation including useless function calls, random variables, and noise, the malware follows a straightforward execution flow: generating seed cookies, dispatching functions, encrypting data with RC4 using the key 'JtyIQxPND8G', and exfiltrating stolen information via HTTP to the command-and-control server. The architecture demonstrates effective simplicity rather than sophisticated complexity." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776135627", "to_ids": false, "type": "text", "uuid": "54fffaf9-0de6-46e9-b47c-e4b4dbcef02a", "value": "Name: Obfuscation Without Effort: Breaking a GIFTEDCROOK Stealer\nAuthor: AlienVault\nAdversary: UAC-0226\nTags: [\"cve-2025-8088\", \"data exfiltration\", \"cve-2025-6218\", \"stealer\", \"ukraine targeting\", \"winrar exploitation\", \"phishing campaign\", \"giftedcrook\", \"powershell payload\", \"rc4 encryption\"]\nTgtd countries: [\"Ukraine\"]\nMlwr families: [\"GIFTEDCROOK\"]\nAttack_ids: [\"T1204.002\", \"T1566.001\", \"T1082\", \"T1071\", \"T1005\", \"T1140\", \"T1055\", \"T1497.003\", \"T1560\", \"T1112\", \"T1090\", \"T1059\", \"T1497\", \"T1204\", \"T1041\", \"T1059.001\", \"T1566\", \"T1027\", \"T1573\", \"T1071.001\"]\nIndustries: [\"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776352516", "to_ids": false, "type": "threat-actor", "uuid": "e7023166-88a6-4e28-9456-2c5a363ca06b", "value": "UAC-0226", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"UAC-0226\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135627", "to_ids": false, "type": "vulnerability", "uuid": "f4502a20-7e4e-4a10-8e8e-34bd18b1f675", "value": "CVE-2025-6218" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135627", "to_ids": false, "type": "vulnerability", "uuid": "912d24f8-dbf1-4b0a-9e77-b34763beb55b", "value": "CVE-2025-8088" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776401452", "to_ids": true, "type": "ip-dst", "uuid": "691fb7fd-1e8d-4adc-8ad7-94548f3fb2fc", "value": "136.0.141.138", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776401473", "to_ids": true, "type": "url", "uuid": "c36c27eb-91e5-49e4-97f6-fa118323c837", "value": "https://136.0.141.138:8406/rcv/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776401494", "uuid": "b29a2181-211e-4da0-82f1-248d1e87745d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776401494", "to_ids": true, "type": "md5", "uuid": "0953b554-700e-4c31-b70b-abcc18ae9986", "value": "c0b73ff43312d442260328a8cefdf3b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399316", "to_ids": true, "type": "sha1", "uuid": "79084e0f-b3c1-481c-9899-368a298b5cb8", "value": "4528d5cf07bf0e1ac769b390236cab1bf34b938c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399316", "to_ids": true, "type": "sha256", "uuid": "c110a4dd-f54e-424b-8e4e-2d7280096e3a", "value": "2a8ea9f1ad8936fb302243faa64b91c5767df411923715cbdb1a869e3bfd7e6d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398257", "to_ids": true, "type": "ssdeep", "uuid": "0f734c87-41d3-41d2-8826-24156e63d13b", "value": "24576:bPAwUTHcrdwpcqHbCof0fAY1PDtTS1BJk+aVCK9o9y2rht5qJRX5DVgvJV6J:rJUTHcJwpovAY1PDZS1BJk+g8trZq7/m" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398257", "to_ids": false, "type": "size-in-bytes", "uuid": "4ee00615-88ee-4e81-a217-7b29dfca8538", "value": "1117696" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398257", "to_ids": true, "type": "vhash", "uuid": "e5987f99-f757-49d2-9309-df42e1f4e4be", "value": "116066655d755d0550a2z122z76uz226z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398257", "to_ids": true, "type": "filename", "uuid": "7f869175-07b4-4968-8d0f-a141ed22840e", "value": "2a8ea9f1ad8936fb302243faa64b91c5767df411923715cbdb1a869e3bfd7e6d.exe" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398257", "to_ids": false, "type": "text", "uuid": "e2e825f0-2bb2-41b7-b620-2e1585a392d0", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:37/72\nFirst Submission:2026-04-09T20:37:17.000000+00:00\nLast Submission:2026-04-11T03:18:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776401515", "uuid": "efd7daf0-8c0d-46d2-a08a-2ba70fed96df", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776401515", "to_ids": true, "type": "md5", "uuid": "4ae07c90-c092-4061-a954-f1efd53613d8", "value": "2af0a6135df3502a7f6de4d2de6db73b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399316", "to_ids": true, "type": "sha1", "uuid": "889b3118-787f-4b5b-8916-f773239427e3", "value": "b1c4a94df23638d70dae45f3193a64a6b036056d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399317", "to_ids": true, "type": "sha256", "uuid": "4d9e0e30-126c-4f31-8432-d8cf0c610bdf", "value": "7200a9f1e1ea51b66ab9c9274e9d8f805633179634e8ff4dcb8ef82bc02518df", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398278", "to_ids": true, "type": "ssdeep", "uuid": "277ad1d1-a077-4387-8821-c0c0cd94e691", "value": "12288:uLGfum7l/F2gOla3Wvej9xwyOiduNAgYwi7wGK/VpLTru+n08k/Iow4EmQeSary:u9m7j5mv1yzsi7wGK/VpLTa+nI/I/hma" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398278", "to_ids": false, "type": "size-in-bytes", "uuid": "67abbb00-04bc-4a8c-ad23-10e548646d3f", "value": "749270" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398278", "to_ids": true, "type": "filename", "uuid": "ed91b282-0447-4ea7-8920-12f8d74dcb8f", "value": "7200a9f1e1ea51b66ab9c9274e9d8f805633179634e8ff4dcb8ef82bc02518df.rar" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 17/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398278", "to_ids": false, "type": "text", "uuid": "e23e5972-521c-40ca-9205-440f19b6454c", "value": "Type Description: RAR\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:29/65\nFirst Submission:2026-04-09T09:20:07.000000+00:00\nLast Submission:2026-04-10T06:13:02.000000+00:00" } ] } ] } }