A newly identified variant of the Gremlin stealer malware is leveraging advanced obfuscation techniques to conceal its command-and-control (C2) infrastructure and data exfiltration logic within encrypted .NET resource sections.
This evolution highlights a significant shift toward stealth, modularity, and anti-analysis sophistication in modern infostealer campaigns.
Its targets include browser-stored credentials, session tokens, cryptocurrency wallets, clipboard data, and VPN or FTP credentials. The stolen data is packaged and exfiltrated to attacker-controlled infrastructure, where it may be sold or publicly leaked.
Researchers identified a new exfiltration endpoint hosted at hxxp[:]194.87.92[.]109. At the time of discovery, the infrastructure showed zero detections on VirusTotal, with no blocklist entries or community reports.
After data collection, Gremlin Stealer compresses stolen artifacts into ZIP archives labeled with the victim’s public IP address.
Palo Alto Networks Unit 42 said in a report shared with GBhackers, Gremlin stealer is actively distributed via underground Telegram channels and is designed to harvest sensitive data from compromised systems.
These archives typically include browser cookies, session tokens, clipboard content, cryptocurrency wallet data, and stored credentials, enabling attackers to easily identify and monetize victims.
Gremlin Stealer Hides C2
A key advancement in this variant is the relocation of its malicious payload into the .NET resource section. The payload is XOR-encoded, appearing as opaque data during static analysis.
This technique prevents detection by traditional signature-based tools and obscures critical indicators such as API calls and hardcoded URLs.
By applying a simple single-byte XOR decryption routine, researchers recovered the hidden configuration, revealing embedded C2 URLs and exfiltration paths.
This approach mirrors tactics used by other malware families such as Agent Tesla, LokiBot, GuLoader, and Quasar RAT.
Unlike earlier versions, which exposed readable code and function names, the latest Gremlin variant uses staged loading.
Malicious components are decrypted and executed in memory only when needed, forcing analysts to rely on dynamic debugging to observe behavior.
This version also introduces several functional upgrades:
- Discord token extraction, targeting modern identity platforms.
- Clipboard hijacking (crypto clipper), replacing wallet addresses in real time.
- WebSocket-based session hijacking, enabling theft of live browser sessions.
- Expanded targeting of Chromium-based browsers and in-memory data.
One analyzed sample (SHA256: 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b) was protected using a commercial packing utility that employs instruction virtualization.
This method converts original code into a custom bytecode executed by a private virtual machine, significantly complicating reverse engineering.
Anti-Analysis Techniques
The malware incorporates multiple layers of obfuscation:
- Identifier renaming: Functions and variables are reduced to meaningless labels (e.g., a, b, hf), removing context and complicating analysis.
- String encryption: All sensitive strings are stored encrypted and retrieved via a decoder function at runtime, preventing keyword-based detection.
- Control-flow obfuscation: Execution paths are intentionally convoluted using redundant logic, jumps, and loops to confuse analysts.
For example, a simple API call is hidden behind a decoding routine that reconstructs the string only during execution, masking indicators such as external IP lookup services.
Palo Alto Networks reports that its security ecosystem provides protection against Gremlin stealer, including Network Security, Cortex XDR, XSIAM, Advanced WildFire, Advanced Threat Prevention, Advanced URL Filtering, and DNS Security.
Organizations suspecting compromise are advised to contact the Unit 42 Incident Response team for investigation and remediation.
The continued evolution of Gremlin stealer underscores a broader trend in cybercrime: the transition from basic credential harvesting to highly modular, evasive malware capable of real-time financial fraud and session hijacking.
IOCs
SHA256 hashes
- 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b
- 9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614
- 971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759
- ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd
- f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346
- a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd
- 691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3
- 281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2
- 9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20
- d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c
- 1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5
URLs
- hxxp[:]194.87.92[.]109/i.php
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
