CTI Roundup: GIFTEDCROOK, ESET H1 2025 Threats, Jasper Sleet

In this week’s roundup, Tanium’s Cyber Threat Intelligence (CTI) team examines the recent evolution of GIFTEDCROOK malware. Next up, the team reviews the leading cyber threats from the first half of 2025 based on a new report from ESET. Finally, we investigate how the North Korean threat actor Jasper Sleet is using remote IT workers to infiltrate corporate environments.

GIFTEDCROOK malware evolves from browser stealer to intelligence-gathering tool

According to Arctic Wolf, the cyber espionage group UAC-0226 has significantly upgraded its GIFTEDCROOK malware, shifting its functionality from a basic browser infostealer to a tool capable of broader intelligence collection. This development coincides with recent geopolitical events, including the Ukraine-Russia peace negotiations in Istanbul.

Earlier this year, CERT-UA reported on GIFTEDCROOK v1, which was designed to steal browser data and was used in campaigns targeting Ukraine. In May 2025, shortly after the negotiations between Ukraine and Russia began, GIFTEDCROOK v1.2 was deployed.

How GIFTEDCROOK works

The malware is typically delivered through spear-phishing campaigns. These emails originate from a hosting provider and use a sender policy framework (SPF) set to “?all”—which weakens the target’s ability to prevent email spoofing.

Arctic Wolf also observed a second campaign in which the phishing email included a PDF attachment with a link that ultimately dropped the NetSupport RAT malware.

GIFTEDCROOK version overviews

• v1.0: A basic infostealer designed to extract browser data.
• v1.2: Introduced string encryption and the ability to identify and steal files based on extension type. It targets files up to 5MB that were modified within the last 15 days.
• v1.3: Builds on previous GIFTEDCROOK malware versions by combining browser data theft with file targeting. It uses a sleep evasion technique to bypass sandboxing, targets files modified within the last 45 days, and exfiltrates data via Telegram. It supports browsers like Edge, Chrome, and Firefox, and targets files under 7MB.

Analyst comments from Tanium’s Cyber Threat Intelligence team

GIFTEDCROOK’s evolution from a basic infostealer to a sophisticated intelligence collection tool suggests a high level of both sophistication and adaptability by UAC-0226 threat actors.

As Arctic Wolf repeatedly points out, this campaign aligns with recent geopolitical events. Threat actors will often use this strategy to maximize impact and advance their strategic intelligence gathering. That said, it’s likely that UAC-0226 and GIFTEDCROOK will continue to evolve.

New report reveals sharp rise in advanced threats during H1 2025

ESET recently released a threat report for the first half of 2025 that highlights the significant increase in advanced cyber threats across desktop and mobile platforms. Here are the key takeaways that shed light on the evolving threat landscape:

ClickFix surges in popularity

Once “virtually nonexistent,” ClickFix has rapidly grown into the second most common attack vector after phishing.

It is now being used to deliver a range of infostealers and is being leveraged by both cybercriminals and nation-state threat actors. While Windows users remain the primary target, macOS and Linux users have also been affected.
 

Related CTI coverage on ClickFix

This isn’t the first time we’ve seen this threat. Check out how it’s evolved in past CTI roundups—because staying ahead means staying informed:

• Published June 25, 2025: Latest insights on ClickFix’s role in multi-vector phishing operations
• Published April 30, 2025: Details how actors from North Korea, Iran, and Russia have used ClickFix to deliver malware via social engineering
• Published March 12, 2025: Covers a phishing campaign using SharePoint and Microsoft Graph API to deploy a modified Havoc Demon agent
• Published June 26, 2024: Highlights early use of ClickFix in large-scale phishing campaigns delivering Vidar Stealer, including TA571’s activity

SnakeStealer becomes most detected infostealer

Based on ESET telemetry, SnakeStealer has become the top-detected infostealer. Its rise coincides with a 57% drop in detection of Agent Tesla, which has fallen to fourth place after previously holding a top-ranking position.

Disruption efforts target Lumma Stealer and Danabot

In addition to tracking infostealer trends, ESET also contributed to disruption operations targeting Lumma Stealer and Danabot.

Following the Lumma Stealer operation, activity declined, though ESET has observed attempts to rebuild the malware. Danabot detections also dropped, indicating a successful takedown.

Analyst comments from Tanium’s Cyber Threat Intelligence team

ClickFix has been in the news quite often over the past several weeks and months, and ESET’s report makes it clear just how popular it has become. Its 517% increase is significant, especially as it marks a shift in actor strategy to exploit human behavior over technology.

ESET’s comprehensive report also highlights how the threat landscape can adapt and evolve in a short period of time and how it covers everything from desktops to mobile devices with multi-vector threats.

Jasper Sleet uses remote IT workers to infiltrate organizations

Microsoft has identified a sustained campaign by the North Korean threat actor Jasper Sleet, which involves impersonating freelance IT workers to gain access to corporate environments. These operations support the Democratic People’s Republic of Korea (DPRK)’s espionage objectives and rely on social engineering to secure remote employment.

In this campaign, North Korean IT workers aim to secure remote employment, perform job duties, and collect earnings—often used to support the North Korean regime. Microsoft notes that these workers have applied for roles across a wide range of global industries.

Building and reusing fake identities

Jasper Sleet’s tactics include creating or stealing identities, complete with resumes, email addresses, and social media accounts. The associated documents and accounts are tailored to match specific job posting requirements.

[Read also: Hiring remote IT workers? Beware the deepfake frauds]

These personas are sometimes reused across multiple applications. To enhance credibility, the IT workers will also build digital footprints—such as GitHub profiles—to showcase prior work.

Use of AI to enhance deception

Microsoft observed the use of AI to enhance these personas, including the creation of profile photos, resumes, and email addresses. One public repository contained examples of these AI-generated assets, which were believed to be linked to North Korean IT workers. In addition to visual deception, the workers used AI-powered voice-masking tools to conceal their identities during remote interviews and communications.

The role of facilitators

Jasper Sleet has begun recruiting “facilitators” to assist IT workers with job acquisition and onboarding. These facilitators help create bank accounts, purchase SIM cards, register on job platforms, and arrange shipping addresses for equipment.

Tools for persistence and evasion

To maintain access and avoid detection, Jasper Sleet uses virtual private networks (VPNs), virtual private servers (VPSs), proxy services, and remote monitoring and management (RMM) tools to blend into organizational activity and establish persistence. Microsoft identified the use of JumpConnect, TinyPilot, RustDesk, TeamViewer, AnyViewer, and AnyDesk.

Unsurprisingly, these IT workers will try to avoid any kind of face-to-face contact and stick to remote conversations to avoid being identified.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Microsoft uses the name Jasper Sleet to “represent activity associated with North Korean’s remote IT worker program.” It also tracks additional North Korean threat clusters that employ similar tactics, techniques, and procedures (TTPs) to obtain employment and conduct related operations.

North Korean IT workers have been a concern for several years, and the threat shows no signs of slowing down. Threat actors are increasingly realizing they don’t need to hack or recruit insiders—getting hired directly into an organization can be just as effective.

Microsoft notes that AI is advancing this threat by making it more difficult for organizations to detect malicious actors.

To help defenders identify and respond to related activity, Microsoft provides several tools and capabilities, including investigative and monitoring actions, Defender alerts, and hunting queries. Additionally, its machine learning workflow can flag suspicious accounts potentially linked to North Korean IT workers.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.