A newly discovered variant of the Gremlin Stealer is raising concerns among security researchers by adopting stealth-focused techniques that significantly reduce its detection footprint.
Gremlin Stealer is an information-stealing malware actively sold on Telegram. It targets a wide range of sensitive data from infected systems, including payment card details, browser cookies, session tokens, cryptocurrency wallets, and stored FTP or VPN credentials.
Once collected, the data is packaged and exfiltrated to attacker-controlled infrastructure for resale or public leaks.
Researchers identified a newly deployed exfiltration server at hxxp[:]194.87.92[.]109, which initially showed zero detections on VirusTotal, highlighting its ability to bypass reputation-based defenses.
Palo Alto Networks said in a report shared with GBhackers, the malware now conceals its malicious payload inside .NET resource files, making it far harder for traditional security tools to identify suspicious behavior.
After infection, the malware compresses stolen data into a ZIP archive labeled with the victim’s public IP address before uploading it to this server.
This stealthy rollout suggests attackers are prioritizing operational security, ensuring their infrastructure remains undetected during the early stages of the campaign.
Payloads in .NET Resources
One of the most notable advancements is the malware’s use of the .NET resource section to store its core payload. Instead of embedding readable code, the attackers encode the data using a simple XOR scheme, making it appear as random, opaque data.
When executed, the malware decrypts this hidden payload in memory, revealing command-and-control (C2) URLs and execution logic.
This technique mirrors methods used by well-known malware families like Agent Tesla and LokiBot, which also abuse resource sections to evade static analysis.
For example, instead of exposing a URL directly in the code, Gremlin stores encrypted bytes inside a resource file and decodes them only at runtime. This prevents analysts and antivirus engines from spotting known malicious strings during scanning.
Compared to earlier versions, the latest Gremlin variant introduces a staged execution model. Critical functions are only decrypted and loaded into memory when needed, forcing analysts to rely on dynamic analysis rather than static inspection.
The malware also employs multiple layers of obfuscation:
- Identifier renaming replaces meaningful function and variable names with random characters, removing context.
- String encryption hides all important data, including URLs and API endpoints, behind a custom decoding routine.
- Control-flow obfuscation introduces complex, misleading execution paths that slow down reverse engineering.
Additionally, one sample analyzed by researchers was protected using a commercial packing utility that implements instruction virtualization. This converts the original code into a custom bytecode executed by a private virtual machine, further complicating analysis.
Gremlin Stealer has evolved beyond basic credential harvesting into a modular toolkit. New capabilities include Discord token theft, enabling attackers to hijack user identities and accounts, and WebSocket-based session hijacking, which extracts live session data directly from browser memory.
An iteration of Gremlin stealer (SHA256 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b) packed using a packing utility.
A particularly dangerous addition is its crypto clipper module. This feature monitors clipboard activity and replaces cryptocurrency wallet addresses with attacker-controlled ones in real time, enabling silent financial theft during transactions.
Palo Alto Networks reports that its security stack including Cortex XDR, XSIAM, Advanced WildFire, and Advanced Threat Prevention provides protection against Gremlin Stealer activity.
Organizations are advised to monitor unusual outbound traffic, inspect memory-resident behavior, and apply advanced endpoint detection tools to identify similar threats.
The rapid evolution of Gremlin Stealer underscores a broader trend: commodity malware is becoming increasingly sophisticated, borrowing techniques once reserved for advanced threat actors.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
