New Gremlin Stealer Advertised on Hacker Forums Targets Credit Card Data and Login Credentials

A formidable new information-stealing malware dubbed Gremlin Stealer has surfaced in the cybercrime underground, actively promoted since mid-March 2025 on platforms like the Telegram channel CoderSharp.

Discovered by Unit 42 researchers at Palo Alto Networks, this malware, crafted in C#, poses a significant risk to individuals and organizations by targeting a wide array of sensitive data, including credit card information, browser cookies, and login credentials.

Its ongoing development and aggressive advertisement by its authors signal a persistent and evolving threat within the digital ecosystem.

Sophisticated Data Exfiltration Techniques

Gremlin Stealer is engineered to pilfer data from multiple sources on compromised systems, employing advanced techniques to bypass security mechanisms such as Chrome’s cookie V20 protection.

The malware meticulously extracts data from popular browsers-both Chromium and Gecko-based-along with cryptocurrency wallets, FTP and VPN credentials, and session data from applications like Telegram and Discord.

It also harvests system information, clipboard content, and screenshots, compiling this stolen data into ZIP archives stored in the LOCAL_APP_DATA folder before exfiltrating it to a configurable web server at IP address 207.244.199.46.

This server, bundled with the malware purchase, features a user-friendly portal displaying stolen data archives, underscoring the professional nature of this cybercriminal operation.

Technical analysis reveals specific functions like GetCookies and ChromiumBrowsers, which adeptly handle encrypted cookie data, while routines targeting cryptocurrency wallets duplicate critical files such as wallet.dat for later extraction.

Additionally, the malware uses a hard-coded Telegram bot API to facilitate data uploads, employing HTTP POST requests to transmit ZIP files containing victims’ sensitive information, highlighting its streamlined and automated exfiltration process.

Widespread Implications and Protective Measures

The implications of Gremlin Stealer are profound, with its ability to steal vast datasets from victims’ machines, evidenced by the 14 ZIP archives currently hosted on its server as reported by Unit 42.

These archives, accessible for download or deletion via the malware’s web interface, represent a treasure trove of compromised data, ranging from financial details to personal credentials, posing severe risks of identity theft and financial loss.

The malware’s focus on bypassing modern browser protections and targeting niche applications like Steam and specific VPN clients demonstrates a calculated approach to maximizing data theft.

For protection, Palo Alto Networks offers robust defenses through its Network Security solutions and Cortex products, including Cortex XDR and XSIAM, alongside tools like Advanced WildFire and Advanced Threat Prevention.

Users suspecting compromise are urged to contact the Unit 42 Incident Response team for immediate assistance. As Gremlin Stealer continues to evolve, proactive monitoring and layered security strategies remain critical to mitigating this threat.

The broader cybersecurity community must remain vigilant, as stealers like Gremlin represent a growing segment of the threat landscape, necessitating continuous updates to detection and prevention mechanisms to safeguard digital assets against such sophisticated adversaries.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!