New GIFTEDCROOK Chain Abuses WinRAR ADS and Reflective Loading to Steal Browser Data

A newly documented attack chain tied to threat actor group UAC-0226 is putting Windows users at serious risk.

The campaign uses booby-trapped WinRAR archives, hidden file streams, and a sophisticated memory-loading technique to deliver GIFTEDCROOK, a stealer malware designed to quietly drain browser credentials, cookies, and sensitive documents from infected machines.

The attack has shown a clear focus on Ukrainian military-related personnel, using convincing lure documents designed to appear as internal military records.

The infection begins with what looks like a normal WinRAR archive, but hidden inside is far more than a simple document.

Using a feature called Alternate Data Streams (ADS), the attackers conceal multiple files inside the archive, including a decoy PDF and a shortcut file (LNK) that quietly drops its contents into key system locations when opened.

The victim opens what appears to be a legitimate military document, never realizing the real attack has already begun silently running in the background.

Analysts at Synaptic Security, who shared their findings in a report with Cyber Security News (CSN), identified the full attack chain while tracking UAC-0226 tooling activity.

According to the report, the chain runs from the initial RAR archive through a decoy PDF, a shortcut file, obfuscated PowerShell scripts, an additively encoded payload, and finally the GIFTEDCROOK stealer.

The archive drops two files onto the system: a heavily obfuscated PowerShell loader into C:ProgramDataWC3 and the encoded final payload into C:ProgramDatawt1.

A startup shortcut placed in the Windows Startup folder ensures GIFTEDCROOK runs automatically every time the user logs back in, giving the attacker persistent access with no further effort required.

Once fully active, GIFTEDCROOK moves quietly across the infected machine. It targets browsers like Google Chrome, Microsoft Edge, Opera, and Firefox, pulling login data, cookies, and saved session files.

The malware also searches for VPN profiles, KeePass databases, and email files, collecting everything into a ZIP archive before sending it off to attacker-controlled infrastructure.

New GIFTEDCROOK Chain Abuses WinRAR ADS

The attack relies on a combination of WinRAR Alternate Data Streams and reflective PE loading to deliver GIFTEDCROOK while staying hidden from most security tools.

The ADS feature allows the archive to carry invisible extra files alongside the visible decoy PDF, so extracting the archive silently places multiple malicious components onto the victim’s machine without raising any obvious alarms.

The PowerShell loader inside WC3 is buried under thousands of lines of junk code, random function names, and irrelevant output calls designed to confuse analysis tools.

The actual execution logic reads the encoded payload from wt1, decodes it by subtracting 72 from each byte, and loads the result directly into memory using low-level Windows API calls, completely avoiding a recognizable executable file on disk.

The decoded payload is a custom headless PE file, meaning it lacks the standard header that security scanners normally look for.

A dedicated reflective loader called Main.dll!Func rebuilds the DLL structure in memory, resolves all necessary functions, and passes execution off to GIFTEDCROOK without touching the file system again. This approach makes traditional file-based detection largely ineffective.

GIFTEDCROOK Browser Data Theft and Exfiltration

Once running, GIFTEDCROOK walks the process environment to locate browser profile directories without making obvious API calls that could trigger behavioral detection.

It decrypts sensitive browser material using the Windows CryptUnprotectData function, targeting Chrome, Edge, Opera, and Firefox credential stores in a thorough and systematic way.

Collected files are organized into a staging directory and packaged into a ZIP archive before being sent to the command-and-control server at hxxps://142.111.194[.]73:8640/dj5FZEiLnA/.

The malware also stores a stable per-infection identifier in a temporary file, allowing the attacker to track individual victims across sessions without relying on the Windows registry.

Security teams should monitor startup folder modifications, unusual PowerShell execution involving IEX commands, and outbound connections to non-standard ports.

Blocking archive-based LNK execution and enforcing stricter PowerShell execution policies can meaningfully reduce exposure to this type of attack chain.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-256	420f1931af9b3f7d02c5edfc78eb69abdad6e71d2c3e9b81f9cbc3823a503654	Malicious Archive
SHA-256	dc4c906e56ecb446cbb10b227e1fb470e428108584678314533d80e52a2b9b30	Decoy PDF
SHA-256	05e131555faabae0960f0527cfb72d2b8e2381fd0fde22b0b4e2b365c7faf445	Startup LNK
SHA-256	6b7e3dd5af5a56dd24e96c5b13282ad084c78d0a589d5e4c1b6ba58b4525d9a8	WC3 PowerShell Loader
SHA-256	3006a6639eff677b08595927cf219a3bcd5fdd02bfd592606316bfd4623bb902	Encoded wt1 Payload
SHA-256	78538f945a1d20aa392f3065f222223a4ed47284abfafa8c135bdfd9eacef222	Decoded Custom-Header Image
SHA-256	b268ecbc386d32ace546dd483707fd2c923de8f091741e544f52c7f872fe0d91	Analysis-Only Reconstructed PE
IP:Port	142.111.194[.]73:8640	Command-and-Control Server
URL	hxxps://142.111.194[.]73:8640/dj5FZEiLnA/	C2 Callback Endpoint
File Path	C:ProgramDataWC3	Obfuscated PowerShell Loader
File Path	C:ProgramDatawt1	Encoded Stage Payload
File Path	%APPDATA%MicrosoftWindowsStart MenuProgramsStartupThJRq_6uEj.lnk	Persistence Startup Shortcut
File Path	%USERPROFILE%RJ_8An6YWmhvYh9I8Me	Staging Directory
File Path	%USERPROFILE%qhGQKHaADCeIZe2UoRub.zip	Final Exfiltration Archive
File Path	%TEMP%oBKhrQLe1CKmO3RhHO	Per-Infection Identifier File
File Path	%TEMP%logs.txt	Malware Log File
File Name	Main.dll	Reflective Loader DLL
File Name	взвод розвідки.pdf	Ukrainian-themed Decoy PDF Lure

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.