GIFTEDCROOK is a C/C++ data stealer targeting Windows systems, first documented by Ukraine's CERT-UA in connection with the threat actor UAC-0226. Unlike broad-spectrum malware families that cast a wide net, this threat was purpose-built to harvest credentials and session tokens from web browsers, then quietly exfiltrate everything to attacker-controlled Telegram channels. It's compact, effective, and increasingly observed in targeted campaigns beyond its original Eastern European theater. If your browser passwords suddenly stop working or you notice unexplained logins to your online accounts, GIFTEDCROOK may have already harvested your stored credentials.

GIFTEDCROOK — cybersecurity illustration
Photo by AI25.Studio Studio on Pexels

This malware doesn't announce itself with ransom notes or system-locking screens—it works silently in the background, collecting every saved password, cookie, and autofill entry stored in Chrome, Edge, Firefox, and other browsers. By the time you realize something's wrong, your email, banking, and social media credentials may already be in an attacker's hands. Understanding how GIFTEDCROOK operates and how to remove it is critical for anyone who stores passwords in their browser or uses "remember me" features on sensitive sites.

Think you're infected right now? Disconnect from the internet immediately—unplug your Ethernet cable or disable Wi-Fi. This prevents further data exfiltration while you assess the situation. Do not log into any financial or email accounts from this machine until the infection is confirmed removed. Call us at (770) 869-7969 or bring your computer to our Roswell shop at 1753 Hembree Road for same-day analysis. We'll scan, remove the stealer, and verify no backdoors remain—usually within 2–3 hours.

Threat Profile

Attribute Value
Threat Name GIFTEDCROOK
Threat Type Information Stealer
Platform Windows (32-bit and 64-bit)
File Type Windows PE Executable
First Documented 2026 (CERT-UA report)
Associated Actor UAC-0226
Primary Targets Browser credential databases (Chrome, Edge, Firefox, Opera)
Programming Language C/C++
Exfiltration Method Telegram Bot API
Detection Aliases GIFTEDCROOK (primary); limited cross-vendor naming due to recent emergence
Persistence Mechanism Typical for this family (registry run keys, scheduled tasks, or startup folder)
Severity High (credential theft leads to account compromise, financial fraud, identity theft)

How It Spreads

GIFTEDCROOK typically arrives through targeted phishing campaigns and trojanized software downloads. Early reports from CERT-UA indicate that UAC-0226 delivers the stealer via spear-phishing emails containing malicious Office documents or ZIP archives with embedded executables. The attackers invest effort in reconnaissance—emails often reference real business relationships, pending invoices, or HR documents to convince recipients that the attachment is legitimate. Once the victim opens the document and enables macros (or extracts and runs the executable), GIFTEDCROOK installs silently and begins harvesting browser data within minutes.

Beyond email, we've observed GIFTEDCROOK bundled with pirated software installers, fake browser updates, and compromised downloads from file-sharing sites. The malware may also arrive as a secondary payload dropped by an existing infection—loaders like SmokeLoader or PrivateLoader have been used in the past to distribute credential stealers to already-compromised machines. Because GIFTEDCROOK is lightweight and lacks the flashy behaviors of ransomware, many users never realize their system has been compromised until their accounts start getting hijacked.

Common distribution methods include:

  • Phishing emails with weaponized Office documents (.docx, .xlsx with macros)
  • Malicious ZIP or RAR archives disguised as invoices, contracts, or delivery notices
  • Trojanized installers for popular software (media players, PDF readers, productivity tools)
  • Fake browser or Flash Player update prompts on compromised or malicious websites
  • Drive-by downloads from exploit kits targeting unpatched browser or plugin vulnerabilities
  • Secondary infections delivered by existing malware loaders or botnets

What It Does On Your Machine

Once executed, GIFTEDCROOK moves quickly and quietly. It enumerates installed browsers by checking standard installation directories and AppData paths, then targets the SQLite database files where browsers store encrypted credentials. Chrome and Edge keep passwords in "Login Data" files; Firefox uses "logins.json" and associated key databases. The malware copies these files to a temporary location, decrypts them using the operating system's credential APIs (DPAPI on Windows), and extracts usernames, passwords, URLs, and cookie session tokens. It doesn't need to keylog or intercept traffic—everything it wants is already sitting on disk, waiting to be harvested.

The stealer also collects system information to help attackers profile the compromised machine: operating system version, computer name, username, installed antivirus products, and a list of running processes. This reconnaissance data helps the threat actor decide whether the victim is a high-value target worth additional attention or manual follow-up. Once collection is complete, GIFTEDCROOK packages everything into a compressed archive or structured text file and transmits it directly to a Telegram bot controlled by the attacker. Telegram's API provides a convenient, encrypted, and abuse-resistant exfiltration channel that's harder for network monitoring tools to flag than traditional HTTP uploads to attacker-controlled web servers.

The malware typically does not establish long-term persistence—it's designed to grab credentials and get out. However, some variants install a scheduled task or registry run key to ensure a second harvest attempt if the initial exfiltration fails or if the attacker wants to collect fresh credentials after the user changes passwords. GIFTEDCROOK produces minimal disk activity and no visible windows, making it nearly invisible to casual users. The only reliable sign of infection is unexpected account lockouts, password reset requests you didn't initiate, or financial transactions you didn't authorize.

# Observed file system and registry activity (sandbox environments) C:\Users\[Username]\AppData\Local\Temp\tmp[random].db ; Temporary copy of browser credential database C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\[Username]\AppData\Roaming\Mozilla\Firefox\Profiles\[profile]\logins.json C:\Users\[Username]\AppData\Local\Microsoft\Edge\User Data\Default\Login Data # Persistence (observed in some samples) HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[RandomName] ; Points to dropped executable C:\Users\[Username]\AppData\Roaming\[random folder]\updater.exe # Network activity (Telegram API exfiltration) api.telegram.org (HTTPS POST to bot endpoint)

Manual Removal — Step by Step

01

Disconnect from the Internet

Unplug your Ethernet cable or disable Wi-Fi immediately. This stops the malware from exfiltrating any additional data and prevents remote commands if a backdoor component is present. Work offline until removal is complete.

02

Boot into Safe Mode with Networking

Restart your computer and press F8 (or hold Shift while clicking Restart on Windows 10/11) to access the boot menu. Select "Safe Mode with Networking." This prevents most malware from auto-starting while still allowing you to download removal tools.

03

Run a Full Scan with Malwarebytes

Download and install Malwarebytes Free (reconnect briefly if needed, then disconnect again). Update definitions and run a full "Threat Scan." Malwarebytes detects most stealer families by behavior and signature. Quarantine everything it finds—do not skip any detections, even if they're flagged as low-severity PUPs.

04

Scan with Your Primary Antivirus (Updated Definitions)

If your existing AV didn't catch GIFTEDCROOK initially, it may after a definition update. Reconnect briefly, update signatures, disconnect, then run a full scan. Some vendors now detect GIFTEDCROOK by name; others flag it as generic trojan or infostealer variants.

05

Check Startup Programs and Scheduled Tasks

Open Task Manager (Ctrl+Shift+Esc) → Startup tab. Disable anything unfamiliar, especially items with random names or paths pointing to AppData\Roaming. Then open Task Scheduler (taskschd.msc) and review tasks created recently. Delete any that launch executables from temporary or user-writable directories.

06

Inspect Registry Run Keys

Press Win+R, type regedit, and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\...\Run. Look for entries with suspicious names or paths to .exe files in temporary folders. Right-click and delete any that match known GIFTEDCROOK file paths or were created around the time you suspect infection.

07

Delete Temporary and AppData Remnants

Open File Explorer and navigate to C:\Users\[YourName]\AppData\Local\Temp and C:\Users\[YourName]\AppData\Roaming. Sort by date modified and delete any folders or files created around the time of infection, especially .exe, .db, or .zip files with random names. Empty the Recycle Bin afterward.

08

Change All Stored Passwords—From a Clean Device

Because GIFTEDCROOK harvests stored browser credentials, assume all saved passwords have been compromised. Use a different, known-clean device (smartphone, tablet, or another computer) to change passwords for email, banking, social media, and any other accounts that were saved in your browser. Enable two-factor authentication wherever possible.

09

Clear Browser Stored Credentials

Open each browser's settings and clear all saved passwords, cookies, and autofill data. For Chrome: Settings → Privacy and security → Clear browsing data → choose "All time" and check passwords, cookies, and cached files. Repeat for Edge, Firefox, and any other installed browsers. This forces you to re-enter credentials after you've changed them from a clean device.

10

Reboot Normally and Monitor

Restart your computer in normal mode. Reconnect to the internet and monitor for unusual activity: unexpected process spikes, unfamiliar outbound connections, or new files appearing in temporary directories. Run one final Malwarebytes scan 24 hours later to confirm the threat is gone. If any symptoms persist, bring the machine to our shop—residual components may require advanced forensic removal.

Prevention

  1. Stop storing passwords in your browser. Use a dedicated password manager like Bitwarden, 1Password, or KeePassXC. These tools encrypt credentials with a master password and are far harder for stealers to crack than browser-integrated storage.
  2. Enable two-factor authentication (2FA) everywhere. Even if a stealer harvests your password, 2FA requires a second proof of identity (app code, SMS, or hardware key) that the attacker won't have. Prioritize 2FA for email, banking, and any account that can initiate password resets for other services.
  3. Never enable macros in unsolicited Office documents. If you receive an unexpected email with a Word or Excel attachment asking you to "enable editing" or "enable content," delete it. Legitimate business documents rarely require macros, and this is the #1 delivery method for stealers like GIFTEDCROOK.
  4. Keep Windows and browsers fully patched. Enable automatic updates for both your operating system and all installed browsers. Many stealer campaigns exploit known vulnerabilities that were patched months ago—staying current closes these entry points.
  5. Run reputable antivirus with real-time protection. Free options like Windows Defender (built into Windows 10/11) or Malwarebytes Premium provide real-time behavioral monitoring that can catch stealers before they execute. Keep definitions updated and don't disable your AV to "speed up" your computer.
  6. Be skeptical of software download sites and "free" installers. Download software only from official vendor websites or the Microsoft Store. Third-party download portals and torrent sites frequently bundle malware with legitimate installers. If you didn't pay for commercial software, assume the "cracked" version is infected.
  7. Review browser extensions regularly. Stealers sometimes arrive disguised as browser add-ons. Open your browser's extension manager monthly and remove anything you don't actively use or don't remember installing. Check reviews and permissions before installing new extensions.
  8. Monitor your accounts for unauthorized access. Enable login alerts for email and banking accounts. If you receive a notification about a login from an unfamiliar location or device, change your password immediately and assume your credentials have been stolen.
Our 90-Day Warranty: When we remove GIFTEDCROOK (or any malware) from your computer, that work is covered by a 90-day reinfection warranty. If the same threat comes back within three months through no fault of your own, we'll re-clean your system at no additional charge. We also provide a post-removal security checklist to help you change compromised passwords safely and lock down your accounts. Our goal isn't just to remove the malware—it's to make sure you stay secure long after you leave our shop.

Bring It In

GIFTEDCROOK infections demand immediate, expert attention. Unlike ransomware that announces itself, credential stealers work silently—by the time you notice symptoms, your accounts may already be compromised. Our technicians have handled dozens of stealer infections and know exactly where these threats hide: the registry persistence keys, the AppData remnants, the Telegram bot configurations buried in memory. We run multi-pass scans with commercial-grade tools, manually verify that no backdoor components remain, and walk you through the password-change process so you don't accidentally re-compromise your accounts. Most GIFTEDCROOK removals take 2–3 hours; we'll call you with results the same day you drop off your machine.

We're located at 1753 Hembree Road in Roswell—just off Holcomb Bridge Road near the Publix shopping center. Walk-ins are welcome Monday through Saturday, or call us at (770) 869-7969 to schedule a specific time. Bring your computer, tell us when you first noticed suspicious activity (account lockouts, password failures, strange login alerts), and we'll take it from there. If your machine is critical and you can't afford downtime, ask about our express service—we'll prioritize your repair and have you back up and running by end of business the same day. Don't let stolen credentials turn into drained bank accounts or identity theft. Bring it in, and let's get your system and your accounts secured.