A fresh GIFTEDCROOK stealer variant was identified as part of a UAC-0226 campaign targeting Ukraine. Initial access leverages CVE-2025-6218 and CVE-2025-8088 through a weaponized RAR archive containing a decoy PDF themed around military registry information. The attack chain uses an LNK file to execute obfuscated PowerShell code that decodes and deploys the payload. The stealer employs RC4 encryption for data protection, chunks exfiltration into 133KB segments, and uses runtime-reconstructed C2 communication. Despite heavy obfuscation including useless function calls, random variables, and noise, the malware follows a straightforward execution flow: generating seed cookies, dispatching functions, encrypting data with RC4 using the key 'JtyIQxPND8G', and exfiltrating stolen information via HTTP to the command-and-control server. The architecture demonstrates effective simplicity rather than sophisticated complexity.