Gremlin Stealer Evolves into Modular Toolkit with Advanced Evasion Tactics
The Gremlin stealer has evolved into a sophisticated, modular threat that uses advanced obfuscation and new financial-theft modules to evade detection and hijack user sessions.
The Gremlin stealer, an infostealer that first appeared in April 2025, has undergone a significant transformation into a modular, highly evasive threat. According to researchers at Palo Alto Networks’ Unit 42, the malware has evolved from a basic credential harvester into a sophisticated toolkit designed to bypass modern security defenses and perform real-time financial theft Infosecurity Magazine Unit 42.
The latest iteration of Gremlin focuses heavily on stealth, employing advanced obfuscation to evade static analysis. Malware authors have shifted the primary malicious payload into the .NET Resource section, masking it with XOR encoding to circumvent signature-based detection and heuristic scanning Unit 42. Furthermore, the malware utilizes a staged loading mechanism where critical functions are only decrypted and mapped into memory when required, forcing security analysts to rely on complex dynamic debugging to observe the malware's behavior Unit 42.
Beyond its improved evasion, the malware has gained new functional modules. It now includes a dedicated capability to extract Discord tokens, which can be leveraged for social engineering attacks against digital identities Infosecurity Magazine. Additionally, the stealer has introduced a "crypto clipper" module that monitors the victim's clipboard for cryptocurrency wallet addresses. When a match is found, the malware swaps the address with one controlled by the attacker, redirecting funds in real-time Infosecurity Magazine. The variant also features WebSocket-based session hijacking, allowing attackers to bypass standard cookie protections and gain immediate access to authenticated browser sessions Infosecurity Magazine.
The malware targets a wide array of sensitive information, including browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, and FTP or VPN credentials. Once harvested, this data is bundled into a ZIP archive—named after the victim's public IP address—and exfiltrated to an attacker-controlled server Infosecurity Magazine Unit 42. Researchers identified a new exfiltration site at `hxxp[:]194.87.92[.]109`, which, at the time of discovery, had zero detections on VirusTotal, indicating that the infrastructure was entirely unknown to security vendors Unit 42.
While the core architecture for exfiltration via private web panels or the Telegram Bot API remains consistent with older versions, the shift toward modularity and aggressive financial interference marks a significant escalation in the threat's capabilities Infosecurity Magazine. Palo Alto Networks notes that its customers are protected through various solutions, including Cortex XDR, XSIAM, and Advanced WildFire, and advises those potentially compromised to contact the Unit 42 Incident Response team Unit 42.
The evolution of Gremlin reflects a broader trend in the malware landscape, where threat actors are increasingly adopting techniques—such as hiding payloads in resource sections—previously popularized by high-profile families like Agent Tesla, GuLoader, and LokiBot Unit 42. As these tools become more modular and difficult to detect, the focus for defenders must shift toward robust dynamic analysis and behavioral monitoring to identify these threats before they successfully exfiltrate data.