Advanced Russia-Linked Threat Campaigns Target Ukraine and European Organizations with Novel Tactics

Recent threat intelligence reports have uncovered two sophisticated malware campaigns targeting Ukrainian government institutions and European organizations. Ukrainian CERT (CERT-UA) has identified a campaign deploying the previously undocumented GIFTEDCROOK stealer against military and law enforcement entities, while Google Threat Intelligence Group has detailed a novel Remote Desktop Protocol (RDP) exploitation technique used against European government and military organizations. Both campaigns demonstrate advanced tactics aimed at credential theft, data exfiltration, and espionage.

GIFTEDCROOK Campaign Targets Ukrainian Organizations

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new set of cyber attacks targeting Ukrainian government institutions with an information-stealing malware dubbed GIFTEDCROOK. According to The Hacker News reporting on CERT-UA’s findings, the campaign specifically targets military formations, law enforcement agencies, and local government bodies near Ukraine’s eastern border.

The threat actor, tracked as UAC-0226, employs phishing emails containing macro-enabled Microsoft Excel spreadsheets (XLSM) that deploy the malware through a multi-stage infection chain. These emails are crafted to appear highly relevant to potential victims, with subject lines and file names referencing:

• Demining operations
• Administrative fines
• UAV (drone) production
• Compensation for destroyed property

Technical Analysis of GIFTEDCROOK

GIFTEDCROOK’s infection chain is sophisticated and involves multiple stages:

1. Initial infection through macro-enabled Excel files
2. Execution of a PowerShell script from the PSSW100AVB GitHub repository (PowerShell Scripts With 100% AV Bypass)
3. Establishment of a reverse shell to attacker infrastructure
4. Deployment of the GIFTEDCROOK stealer payload

The GIFTEDCROOK malware is written in C/C++ and specifically targets credentials stored in major web browsers. It has capabilities to extract:

• Browser cookies
• Saved passwords
• Browsing history
• Authentication data

The malware targets Chrome, Edge, and Firefox browsers, making it a significant threat to organizational security. CERT-UA notes that the campaign leverages compromised legitimate email accounts to add credibility to the phishing attempts, often sending emails through web interfaces of email clients.

Novel “Rogue RDP” Campaign Targets European Organizations

In parallel to the Ukrainian attacks, Google’s Threat Intelligence Group has identified an innovative Remote Desktop Protocol (RDP) phishing campaign targeting European government and military organizations. The campaign, attributed to UNC5837 (a suspected Russia-nexus espionage actor), was detailed in a Google Cloud Blog post.

Unlike traditional RDP attacks that focus on gaining interactive control of victim machines, this campaign creatively abuses two lesser-known RDP features:

• Resource Redirection: Mapping victim file systems to attacker-controlled servers
• RemoteApps: Presenting attacker-controlled applications to victims

Technical Analysis of Rogue RDP Campaign

The campaign employed signed .rdp file attachments in phishing emails, which when opened, established Remote Desktop Protocol connections to attacker-controlled servers. The technical implementation included:

1. Creation of signed RDP configuration files with legitimate-looking LetsEncrypt certificates
2. Configuration of RDP to enable resource sharing (victim drives to attacker server)
3. Use of RemoteApp functionality to present deceptive applications to victims
4. Possible employment of an RDP proxy tool like PyRDP to automate data exfiltration

This technique, dubbed “Rogue RDP,” allowed attackers to:

• Access and steal files from victim machines
• Capture clipboard data (potentially including passwords)
• Obtain victim environment variables
• Present deceptive applications for further phishing

Google’s researchers noted that the campaign is remarkable for its effectiveness using existing RDP functionality in unexpected ways, leaving minimal forensic evidence on victim systems.

Detection and Mitigation

Security professionals should implement the following defensive measures against these threats:

For GIFTEDCROOK:

• Block macro execution in Office documents from external sources
• Deploy email security solutions with attachment scanning capabilities
• Implement browser credential protection measures
• Utilize EDR solutions to detect PowerShell evasion techniques
• Monitor for connections to new or unusual domains

For Rogue RDP:

• Implement strict controls on RDP configuration files (.rdp)
• Block or closely monitor RemoteApp functionality unless specifically required
• Disable drive redirection in RDP settings where not needed
• Deploy the YARA rules provided by Google for detection:

  /*
    Detect RDP config files with a base64 LetsEncrypt certificate
  */
  rule G_Hunting_RDP_File_LetsEncrypt_Signed_1
  {
    meta:
      author = "Google Threat Intelligence Group"
      description = "Detects signed RDP configuration files that contain a base64 encoded LetsEncrypt certificate"
    strings:
      $rdp_param1 = "full address" wide
      $rdp_param2 = "redirectclipboard" wide
      // Additional parameters omitted for brevity
      $lets_encrypt_1 = "Let's Encrypt" base64wide
      $lets_encrypt_2 = "lencr.org" base64wide
  
    condition:
      filesize < 20KB and (any of ($lets_encrypt_*)) and (2 of ($rdp_param*))
  }

Attribution and Wider Context

While CERT-UA has not explicitly attributed the GIFTEDCROOK campaign to a specific country, the targeting of Ukrainian organizations near the eastern border suggests possible Russian involvement. The Google-observed Rogue RDP campaign has been more directly attributed to a suspected Russia-nexus espionage actor (UNC5837).

Several cybersecurity researchers, including those at Microsoft Security Intelligence, have previously linked UNC5837 to APT29, also known as Cozy Bear, which is associated with Russia's Foreign Intelligence Service (SVR).

These campaigns highlight Russia's continued focus on cyber espionage against Ukraine and European NATO countries, with an increasing sophistication in tactics designed to evade detection and defensive measures.

Related Trojans and Threats

Organizations concerned about similar information-stealing malware should be familiar with these related threats:

• Triton RAT Malware - Another remote access trojan with data exfiltration capabilities
• Tropidoor Backdoor - Backdoor malware targeting government institutions
• Cobalt Strike Beacon - Advanced threat frequently used in nation-state operations

Conclusion

The GIFTEDCROOK and Rogue RDP campaigns demonstrate the evolution of nation-state cyber operations, with a particular emphasis on credential theft and covert data exfiltration. Security professionals should stay vigilant against these advanced threats by implementing the recommended mitigations, monitoring for suspicious RDP configurations, and maintaining a strong security posture against document-based phishing attempts.

These campaigns also highlight the growing trend of threat actors leveraging legitimate tools and protocols in unexpected ways to evade traditional security controls—a technique that requires security teams to focus on behavior-based detection rather than relying solely on signature-based defenses.