Update: GIFTEDCROOK Stealer Rapidly Evolves to Support Targeted Cyber Espionage in Ukraine
GIFTEDCROOK, attributed to the threat group UAC-0226, has undergone a rapid transformation from a basic browser data stealer into a more advanced intelligence-gathering tool designed for targeted espionage. Early versions focused solely on stealing browser credentials and cookies, with stolen data exfiltrated through Telegram bot channels. By June 2025, newer versions (1.2 and 1.3) introduced expanded functionality, including the ability to harvest a broader set of sensitive documents and system files, specifically those created or modified within the last 45 days. The malware targets a wide range of file types, including office documents, emails, compressed archives, and VPN configuration files. These versions compress the stolen files into encrypted ZIP archives before exfiltration and have increased the file size limit per file to 7MB. The delivery method centers around highly tailored spear-phishing emails using military-themed lures, often referencing real Ukrainian locations or administrative actions to lend credibility. Victims are tricked into downloading a malicious Excel file from a hosted Mega link, which, once opened and macros enabled, silently drops and executes the malware. The campaigns are carefully timed to coincide with critical geopolitical events, including the Istanbul peace negotiations and the extension of martial law in Ukraine, suggesting a deliberate effort to exploit national-level vulnerabilities during periods of strategic distraction. Beyond stealing data, GIFTEDCROOK is engineered to maintain persistence and avoid detection. It breaks down large archive payloads into smaller parts to bypass network inspection and wipes itself clean from the host system post-execution. Arctic Wolf’s analysis also identified shared infrastructure with campaigns using NetSupport RAT, suggesting broader coordination or tool reuse across operations. The malware’s focus on harvesting administrative documents, internal reports, and VPN credentials indicates a shift toward strategic reconnaissance, enabling future intrusions or broader compromise. For organizations handling sensitive internal information—especially within Ukraine’s public sector—the threat posed by GIFTEDCROOK extends well beyond individual compromise to national-level operational exposure.
Update: DragonForce Evolves into a Sophisticated Ransomware-as-a-Service Threat
DragonForce has emerged as a highly advanced ransomware operation, transitioning from a politically motivated hacktivist group into a full-fledged Ransomware-as-a-Service (RaaS) platform since late 2023. Initially known for targeting ideological adversaries, the group now focuses entirely on financial gain, leveraging a modular toolkit that empowers affiliates to tailor attacks based on specific victim environments. Its infrastructure is built on a heavily customized version of the leaked LockBit 3.0 builder, which has been enhanced to include stealth-oriented encryption algorithms, customizable payload builders, and multilingual victim portals. DragonForce has successfully hit critical sectors, including Manufacturing, Finance, and Retail across North America, Europe, and Asia. Their RaaS model promotes aggressive tactics by offering revenue-sharing tiers, access to affiliate control panels, and integration with a proprietary leak site, which pressures victims into paying. Technically, DragonForce stands out for its use of advanced evasion and persistence mechanisms that complicate detection and response. The ransomware employs intermittent encryption techniques, breaking traditional behavior-based detection models by encrypting files at irregular intervals. It also uses the Bring Your Own Vulnerable Driver (BYOVD) method to disable EDR and XDR protections, allowing the malware to operate at the kernel level. To maintain long-term access, the group deploys SystemBC—a backdoor that encrypts command-and-control communications and supports stealthy reconnaissance. The malware is also equipped with anti-sandbox logic to avoid analysis, making reverse engineering and incident response more difficult. DragonForce’s shift into a mature, technically advanced RaaS model has made it a top-tier threat, especially for industries with distributed infrastructure and limited visibility into endpoint activity.
Update: Silver Fox Exploits Popular Software to Distribute Sainbox RAT via Fake Installers
A campaign attributed to the China-based threat group Silver Fox with medium confidence is targeting Chinese-speaking users by impersonating trusted software brands, including WPS Office, DeepSeek, and Sogou. The attackers have built convincing phishing websites that mimic legitimate download pages to distribute malicious installers. These installers execute the real software alongside malware, creating a false sense of legitimacy while quietly delivering Sainbox RAT—a modified Gh0stRAT variant enhanced with rootkit functionality borrowed from the open-source Hidden project. The infection is triggered through MSI or PE files, depending on the impersonated software, using DLL sideloading and reflective injection to bypass detection. The initial loader (Shine[.]exe) runs a fake Chromium library (libcef[.]dll), which activates shellcode embedded in a hidden text file and loads the main malicious DLL, Install[.]dll without alerting the user. Once deployed, Sainbox RAT establishes persistence through Windows registry changes and drops a rootkit driver named “Sainbox” via the NtLoadDriver API. This driver is capable of concealing malware activity by hiding files, processes, and registry entries, and it actively defends itself from termination by security software. These techniques provide long-term access and stealth, enabling data exfiltration, additional malware staging, and full system control. The campaign stands out for its use of legitimate open-source tools to reduce development costs while delivering advanced capabilities. By abusing widely trusted Chinese software brands and leveraging social engineering through realistic spoofed installers, Silver Fox effectively combines low-cost tooling with high-impact outcomes, demonstrating how user trust remains one of the most exploitable security gaps.
