GIFTEDCROOK Attack Chain Uses WinRAR ADS and Reflective Loading to Target Browser Data

A newer GIFTEDCROOK attack chain tied to UAC-0226 uses weaponized WinRAR archives, NTFS Alternate Data Streams, a Startup-folder shortcut, and reflective loading to run an information stealer on Windows systems.

The campaign focuses on Ukrainian military-related targets and uses a Ukrainian reconnaissance-themed decoy PDF to make the archive look legitimate. A Synaptic Security analysis says the archive silently drops a PowerShell loader, an encoded payload, and a malicious shortcut that gives the malware persistence.

The updated chain shows how UAC-0226 has moved from simpler document-based delivery toward a more layered loader. Once active, GIFTEDCROOK can collect browser credentials, cookies, Firefox profile data, VPN files, KeePass databases, documents, and other sensitive files.

How the GIFTEDCROOK Chain Starts

The infection begins with a RAR archive that shows the victim a decoy PDF named in Ukrainian. The lure refers to reconnaissance and UAV-related content, which fits the campaign’s military-focused targeting.

Behind the visible PDF, the archive contains hidden paths that abuse NTFS Alternate Data Streams and traversal sequences. This lets the archive place files outside the expected extraction folder.

Trend Micro links this technique to CVE-2025-8088, a WinRAR vulnerability involving NTFS Alternate Data Streams. The issue lets a malicious archive write files to unintended locations when opened with a vulnerable WinRAR version.

Stage	Component	Purpose
Initial access	Weaponized RAR archive	Shows a decoy PDF while hiding malicious archive entries
Persistence	Startup-folder LNK file	Runs the chain when the user logs in again
Execution	PowerShell loader in C:\ProgramData\WC3	Reads and decodes the staged payload
Payload staging	Encoded file in C:\ProgramData\wt1	Hides the final in-memory loader and stealer
Final payload	GIFTEDCROOK	Collects browser data, documents, and sensitive files

WinRAR ADS Abuse Places Malware in Startup

The key change in this chain is the use of WinRAR ADS-based path traversal. The victim sees a normal-looking PDF, but the archive also writes hidden components to C:\ProgramData and the Windows Startup folder.

The Startup shortcut launches cmd.exe and then starts hidden PowerShell commands. Those commands read the WC3 file from C:\ProgramData and execute it through PowerShell’s IEX function.

This means the victim does not need to manually launch a suspicious executable. The archive plants the shortcut in a location that Windows uses automatically at login.

Why CVE-2025-8088 Matters

CVE-2025-8088 matters because it turns an archive file into a delivery vehicle for persistence. Attackers can use a decoy document to distract the victim while the archive writes hidden files into sensitive locations.

Trend Micro’s report says WinRAR before version 7.13 did not properly sanitize traversal sequences in ADS names. That allowed crafted RAR5 archives to write files outside the intended extraction directory.

WinRAR has already patched the issue, but the campaign shows why old archiving tools remain a serious security risk. WinRAR does not update itself automatically in many environments, so vulnerable versions can stay installed for months.

• Update WinRAR to version 7.13 or later.
• Block unknown RAR archives from email where possible.
• Monitor archive extraction followed by Startup folder writes.
• Inspect unexpected files created under C:\ProgramData.
• Restrict PowerShell execution on high-risk endpoints.

UAC-0226 Has Targeted Ukrainian Organizations Since 2025

UAC-0226 is not a new activity cluster. Ukraine’s computer emergency response team has tracked the group since February 2025, with targets including Ukrainian military formations, law enforcement agencies, military innovation hubs, and local government bodies.

The original CERT-UA advisory described phishing messages sent from compromised email accounts. Those earlier campaigns used malicious Excel files with payloads stored inside spreadsheet cells.

GIFTEDCROOK was one of the malware families used in that earlier activity. At the time, the stealer focused heavily on browser data from Chrome, Edge, and Firefox, then archived the stolen information and sent it out through attacker-controlled channels.

PowerShell Loader Decodes a Headerless Payload

The newer chain uses a PowerShell loader stored as C:\ProgramData\WC3. The file is heavily padded with junk code, random names, meaningless output calls, and unused functions to make analysis harder.

After cleanup, the relevant logic is more direct. The loader waits, reads C:\ProgramData\wt1, subtracts 72 from each byte, copies the decoded data into memory, changes memory permissions, and starts execution at a fixed offset.

The Synaptic Security report says the decoded payload is a headerless PE image. It does not begin with the normal MZ header that many tools expect when parsing Windows executables.

Reflective Loading Makes File-Based Detection Harder

The decoded payload includes a custom reflective mapper exported as Main.dll!Func. Its job is to rebuild a working DLL in memory without writing a normal DLL back to disk.

The mapper validates the custom header, resolves Windows APIs, allocates memory, copies sections, resolves imports, applies relocations, sets permissions, and then calls the DLL entry point.

This approach reduces the value of simple file-based detection. Security tools that rely only on scanning normal executable files on disk may miss the important stage because the payload becomes valid only after it is reconstructed in memory.

Technique	ATT&CK Area	Defensive Focus
Phishing attachment	Initial access	Detect suspicious RAR files from email and webmail
Startup folder shortcut	Persistence	Alert on new LNK files in Startup paths
PowerShell execution	Execution	Monitor IEX, hidden windows, and bypass flags
Obfuscated payload	Defense evasion	Inspect unusual extensionless files in ProgramData
Reflective loading	Defense evasion	Detect memory allocation followed by execution

What GIFTEDCROOK Steals

Once loaded, GIFTEDCROOK searches for browser and file data that can support espionage. It targets Chromium-based browsers such as Chrome, Edge, and Opera, along with Firefox profile files.

For Chromium-based browsers, the malware looks for Login Data, Cookies, Network\Cookies, Local State, and related profile files. The presence of CryptUnprotectData usage is consistent with attempts to decrypt DPAPI-protected browser secrets.

For Firefox, the malware searches for files such as logins.json, key3.db, key4.db, and cookies.sqlite. It also scans for documents, email files, archives, OpenVPN profiles, KeePass databases, Java KeyStores, and image files.

• Chrome, Edge, and Opera login data
• Chromium cookies and session files
• Firefox login and cookie databases
• Documents, spreadsheets, PDFs, and email files
• OpenVPN profiles and KeePass databases
• ZIP, RAR, 7Z, and other archive files

The New Chain Builds on Earlier GIFTEDCROOK Activity

Earlier research from Arctic Wolf Labs found that GIFTEDCROOK evolved from a basic browser data stealer into a broader intelligence-gathering tool. That shift included stronger document collection and targeting aligned with Ukrainian government and military interests.

The latest WinRAR-based chain continues that evolution. Instead of relying only on macro-enabled documents, the actor now uses archive exploitation, Startup persistence, staged PowerShell execution, and reflective in-memory loading.

The result is a more complete intrusion path. The lure document still matters, but the delivery chain now focuses more heavily on stealth, persistence, and bypassing traditional file inspection.

The C2 Detail Needs Careful Interpretation

Some reports list 142.111.194[.]73:8640 and the /dj5FZEiLnA/ path as command-and-control infrastructure. That indicator is important, but the role described in the technical analysis is more specific.

Synaptic Security found that the PowerShell loader sends four 32-bit status values to that endpoint after the thread exits. The values appear to give the operator mapper telemetry, such as whether allocation, imports, relocations, or entry execution worked.

That means defenders should monitor the endpoint, but should not treat it as the only possible destination for stolen data. The loader telemetry and final data theft logic are separate parts of the chain.

Key Indicators of Compromise

Security teams should prioritize behavioral detection because filenames, hashes, and staging paths can change quickly. Still, the current chain includes useful indicators for immediate hunting.

The most important file paths include C:\ProgramData\WC3, C:\ProgramData\wt1, and the Startup shortcut ThJRq_6uEj.lnk. The chain also creates a staging directory and ZIP archive under the user profile.

Network monitoring should include the defanged 142.111.194[.]73:8640 indicator and the /dj5FZEiLnA/ path. Teams should also review PowerShell activity that reads from C:\ProgramData and executes content through IEX.

Type	Indicator	Meaning
File path	C:\ProgramData\WC3	Obfuscated PowerShell loader
File path	C:\ProgramData\wt1	Encoded staged payload
File path	%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ThJRq_6uEj.lnk	Startup persistence shortcut
File path	%USERPROFILE%\qhGQKHaADCeIZe2UoRub.zip	Likely local staging archive
Network	142.111.194[.]73:8640	Loader telemetry endpoint
Decoy file	взвод розвідки.pdf	Ukrainian reconnaissance-themed lure

How Defenders Can Reduce Exposure

The fastest defensive step is to remove vulnerable WinRAR versions. Endpoints should run WinRAR 7.13 or later, and organizations should verify this through software inventory rather than relying on users to update manually.

Security teams should also block or isolate suspicious archive attachments, especially RAR files sent from external or compromised accounts. The earlier CERT-UA alert noted that UAC-0226 used compromised accounts to make phishing messages look more legitimate.

Detection rules should look for hidden PowerShell execution, ExecutionPolicy Bypass, IEX reading local files, unexpected C:\ProgramData writes, and LNK creation in Startup folders. These behaviors are more durable than individual hashes.

Why This Campaign Matters

GIFTEDCROOK’s continued development shows how espionage-focused malware can evolve quickly when earlier tradecraft still works. The actor kept the same basic objective, but changed the delivery and execution chain to avoid easier detection.

Arctic Wolf Labs previously described GIFTEDCROOK’s shift toward broader intelligence collection. The WinRAR ADS chain adds another step in that progression by improving persistence and in-memory execution.

For organizations in Ukraine and allied environments, the lesson is clear. Patching archive tools, restricting PowerShell, and monitoring Startup folder changes should sit alongside email security and endpoint detection because this campaign uses all of those surfaces together.

FAQ