New GIFTEDCROOK Chain Abuses WinRAR ADS and Reflective Loading to Steal Browser Data

A newly documented attack chain tied to threat actor group UAC-0226 is putting Windows users at serious risk.

The campaign uses booby-trapped WinRAR archives, hidden file streams, and a sophisticated memory-loading technique to deliver GIFTEDCROOK, a stealer malware designed to quietly drain browser credentials, cookies, and sensitive documents from infected machines.

The attack has shown a clear focus on Ukrainian military-related personnel, using convincing lure documents designed to appear as internal military records.

The infection begins with what looks like a normal WinRAR archive, but hidden inside is far more than a simple document.

Using a feature called Alternate Data Streams (ADS), the attackers conceal multiple files inside the archive, including a decoy PDF and a shortcut file (LNK) that quietly drops its contents into key system locations when opened.

The victim opens what appears to be a legitimate military document, never realizing the real attack has already begun silently running in the background.

Analysts at Synaptic Security, who shared their findings in a report with Cyber Security News (CSN), identified the full attack chain while tracking UAC-0226 tooling activity.

According to the report, the chain runs from the initial RAR archive through a decoy PDF, a shortcut file, obfuscated PowerShell scripts, an additively encoded payload, and finally the GIFTEDCROOK stealer.

The archive drops two files onto the system: a heavily obfuscated PowerShell loader into C:\ProgramData\WC3 and the encoded final payload into C:\ProgramData\wt1.

A startup shortcut placed in the Windows Startup folder ensures GIFTEDCROOK runs automatically every time the user logs back in, giving the attacker persistent access with no further effort required.

Once fully active, GIFTEDCROOK moves quietly across the infected machine. It targets browsers like Google Chrome, Microsoft Edge, Opera, and Firefox, pulling login data, cookies, and saved session files.

The malware also searches for VPN profiles, KeePass databases, and email files, collecting everything into a ZIP archive before sending it off to attacker-controlled infrastructure.

New GIFTEDCROOK Chain Abuses WinRAR ADS

The attack relies on a combination of WinRAR Alternate Data Streams and reflective PE loading to deliver GIFTEDCROOK while staying hidden from most security tools.

The ADS feature allows the archive to carry invisible extra files alongside the visible decoy PDF, so extracting the archive silently places multiple malicious components onto the victim’s machine without raising any obvious alarms.

The PowerShell loader inside WC3 is buried under thousands of lines of junk code, random function names, and irrelevant output calls designed to confuse analysis tools.

The actual execution logic reads the encoded payload from wt1, decodes it by subtracting 72 from each byte, and loads the result directly into memory using low-level Windows API calls, completely avoiding a recognizable executable file on disk.

The decoded payload is a custom headless PE file, meaning it lacks the standard header that security scanners normally look for.

A dedicated reflective loader called Main.dll!Func rebuilds the DLL structure in memory, resolves all necessary functions, and passes execution off to GIFTEDCROOK without touching the file system again. This approach makes traditional file-based detection largely ineffective.

GIFTEDCROOK Browser Data Theft and Exfiltration

Once running, GIFTEDCROOK walks the process environment to locate browser profile directories without making obvious API calls that could trigger behavioral detection.

It decrypts sensitive browser material using the Windows CryptUnprotectData function, targeting Chrome, Edge, Opera, and Firefox credential stores in a thorough and systematic way.

Collected files are organized into a staging directory and packaged into a ZIP archive before being sent to the command-and-control server at hxxps://142.111.194[.]73:8640/dj5FZEiLnA/.

The malware also stores a stable per-infection identifier in a temporary file, allowing the attacker to track individual victims across sessions without relying on the Windows registry.

Security teams should monitor startup folder modifications, unusual PowerShell execution involving IEX commands, and outbound connections to non-standard ports.

Blocking archive-based LNK execution and enforcing stricter PowerShell execution policies can meaningfully reduce exposure to this type of attack chain.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.