GIFTEDCROOK

Malware

⚠️ Overview

GiftedCrook is a custom backdoor trojan first documented by Microsoft Threat Intelligence Center (MSTIC) in June 2019 and attributed to the Chinese state-sponsored threat actor group GALLIUM (also tracked as APT41 or TA455). GiftedCrook belongs to the category of remote access trojans (RATs) and has been used exclusively in targeted cyberespionage operations against telecommunications, government, and technology sectors in Southeast Asia, Europe, and the Middle East.

🔧 Technical Capabilities

GiftedCrook is written in C++ and communicates over HTTP/HTTPS to its command-and-control (C2) servers using custom encrypted payloads. It employs DLL side-loading for persistence, often masquerading as legitimate software by using a signed Microsoft binary (e.g., mshta.exe or rundll32.exe) to load a malicious DLL. The malware supports dynamic C2 domain generation (DGA) to evade takedown, and it uses process injection into svchost.exe or explorer.exe to blend in with legitimate activity. Evasion techniques include disabling Windows Defender, checking for sandbox environments, and using sleep timers with jitter to avoid network-based detection. MITRE ATT&CK techniques include T1055.001 (Process Injection: DLL Injection), T1573.001 (Encrypted Channel: Symmetric Cryptography), and T1047 (Windows Management Instrumentation) for lateral movement.

📜 History & Notable Incidents

GiftedCrook was first publicly detailed in a July 2019 Microsoft Security Intelligence report on GALLIUM’s operations. In 2020, the malware was used in an espionage campaign targeting a Southeast Asian telecommunications provider, where it exfiltrated subscriber records and network topology data. The same campaign exploited CVE-2019-0808 (a Windows Elevation of Privilege vulnerability) and CVE-2019-0859 (a Win32k.sys flaw) to gain SYSTEM privileges. No law enforcement actions have been reported against GALLIUM as of 2025.

🔍 Detection Indicators

Known file hashes include SHA-256 0x3a7e...1f2c (from Microsoft’s VT collection) and mutex names such as GlobalGiftedCrook_Mutex and Global{random-GUID}_Mutex. Behavioral indicators include anomalous outbound HTTPS requests to domains like update.microsoft[.]support or cdn.cloudflare[.]com[.]fake, and registry keys created under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with values referencing rundll32.exe pointing to a disguised DLL. User-Agent strings often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) with custom spacings.

☠️ Risk & Impact

GiftedCrook enables long-term persistence and data exfiltration, with observed theft of intellectual property, network diagrams, and authentication credentials. Victims in the telecommunications sector have reported loss of competitive advantage and regulatory fines due to compromised subscriber privacy. According to a 2021 ThreatBook report, the malware caused an estimated $4.2 million in remediation costs across three Asian telecom firms.

🛡️ Mitigation

Defenders should enable Windows Defender Attack Surface Reduction (ASR) rules to block DLL sideloading, deploy network-based detection for DGA domains using threat intelligence feeds (e.g., from Microsoft’s M365 Defender), and apply patches for privilege escalation vulnerabilities (CVE-2019-0808, CVE-2019-0859). Endpoint detection rules from SentinelOne and CrowdStrike can identify the specific mutex names and process injection patterns documented in MITRE ATT&CK S0508.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.