Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files Threat Research Center Threat Research Malware Malware min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Pranay Kumar Chhaparwal Mark Lim Published: May 15, 2026 Categories: Malware Threat Research Tags: API Cryptocurrency Gremlin stealer Obfuscation Payload Telegram VirusTotal Executive Summary This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources.
We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. Gremlin stealer siphons sensitive information from compromised systems and exfiltrates it to attacker‑controlled servers for potential publication or sale. It targets web browsers, system clipboard and local storage to exfiltrate sensitive information like: Payment card details Browser cookies Session tokens Cryptocurrency wallet data FTP and VPN credentials This threat has rapidly evolved, incorporating new anti-analysis safeguards into recent builds.
Palo Alto Networks customers are better protected from Gremlin Stealer through our Network Security solutions and Cortex line of products, including: Cortex XDR XSIAM Advanced WildFire Advanced Threat Prevention Advanced URL Filtering Advanced DNS Security If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics Infostealer , Telegram , Cryptocurrency New Gremlin Site for Publishing Data Using data from our internal threat intelligence, we identified a new Gremlin stealer variant.
This variant exfiltrates stolen data to a newly deployed site at hxxp[:]194.87.92[.]109 as shown in Figure 1. Figure 1. New Gremlin site. At the time of discovery, VirusTotal showed zero detection for this new Gremlin site hxxp[:]194.87.92[.]109 , its associated URLs or any retrieved artifacts. There were no block list entries, community reports or malicious categorizations as shown in Figure 2. Figure 2.
Gremlin Stealer’s new site detection on VirusTotal. After data theft, the malware bundles harvested artifacts into a ZIP archive, including: Clipboard contents The malware names the file using the victim’s public IP address to identify the source, and then uploads it to the attacker-controlled site, as shown in Figure 3. Figure 3. Gremlin site published data. Technical Analysis In this section, we present a comparative analysis of older and newer Gremlin stealer variants, highlighting the key changes and describing our process for extracting the final-stage payloads.
Hiding Payload in Resource The latest iteration of the Gremlin stealer has an increased focus on stealth, specifically designed to evade static analysis tools. In this version, the malware authors have shifted the malicious payload into the .NET Resource section, masking it with XOR encoding to bypass signature-based detection and heuristic scanning. Figure 4 shows how the resource section appears as an opaque block of data, hiding strings and API calls that would otherwise trigger alerts.
Figure 4. Resource section. By applying a single-byte XOR decryption routine, we recovered the plain-text configuration. Figure 5 shows that this reveals the hard-coded command-and-control (C2) URLs and exfiltration paths. Figure 5. XOR decryption on resource section. Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including: Agent Tesla GuLoader LokiBot Quasar RAT Comparison with Older Version Comparing past and present versions reveals a clear evolution in Gremlin stealer’s anti-analysis techniques.
Legacy samples (shown in Figure 6) lacked obfuscation, leaving function exports and internal symbols intact. Figure 6. Gremlin older version vs. latest version. The current iteration implements a staged loading mechanism. Each critical function is decrypted and mapped into memory from the .NET resource section only when needed. This method forces analysts to perform dynamic debugging to observe any meaningful program behavior.
Key Enhancements in the Latest Variant Gremlin stealer’s evolution from a basic credential harvester to a modular toolkit is evident in several key architectural upgrades: Expanded target scope : Gremlin stealer includes a dedicated Discord token extraction module, which signifies a pivot toward targeting digital identity and social engineering. Active financial fraud : The latest variant shifts from passive data theft to active financial interference.
This crypto clipper functionality continuously monitors the system clipboard for strings matching cryptocurrency wallet patterns. When it detects a match, the malware replaces the victim's address with the attacker’s wallet in real time, diverting funds during transactions. Advanced persistence : The WebSocket-based session hijacking module represents its most significant technical upgrade. This allows Gremlin stealer to hijack active, live browser sessions and bypass modern cookie protections by requesting the data directly from the running browser process.
Sample Packed Using a Complex Commercial Packing Utility We uncovered an iteration of Gremlin stealer ( SHA256 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b ) packed using a packing utility, as shown in Figure 7 below. Figure 7. Packed Gremlin variant. Let’s discuss the obfuscation and anti-analysis techniques this variant uses. Code Obfuscation and Anti Analysis Identifier Renaming (The “No-Labels” Technique) Imagine trying to cook in a kitchen where every can, box and spice jar has its label replaced with a random, short name like a, b, c, hf ze .
The malware authors applied this technique to the variant’s code. What it is: They replaced every meaningful name for a class, method or variable with a meaningless one. Why it's effective: It removes all context. A method originally named StealPasswordsFromChrome might become a() . A variable named decryptionKey might become b. This forces an analyst to manually trace every single function call to figure out its purpose, which is incredibly time-consuming.
Example: In the file hf.cs , the main orchestrator class is named hf , and its primary methods are a, b c . In bb.cs , the class for stealing browser data is BrowserCredentialStealer , but in the original obfuscated code, it was just bb . String Encryption (The “Secret Decoder Ring” Technique) In this technique, malware authors made readable strings appear as gibberish. Instead of writing a word like password or a URL like hxxps://api[.]telegram[.]org directly in the code, the malware stores them encrypted.
What it is: All important strings are hidden. The code only contains numbers that act as a key to a secret decoder function. When the program needs a string, it passes these numbers to the decoder, which then returns the real string. The decoder ring function: The secret decoder is the method _003CModule_003E.c(int, int, int) . It takes three integers as input It uses these numbers to calculate an offset and a length It opens an embedded resource file (named resource in the .csproj file) which contains all the encrypted strings It seeks the calculated offset, reads the specified number of encrypted bytes and uses the third integer as a key to decrypt them It returns the final, readable string Why it's effective: It completely hides the malware's intentions from static analysis.
Analysts cannot simply search the code for suspicious keywords like Telegram, wallet.dat api.ipify[.]org because they don't exist in plain text. Instead, analysts must either run the program in a debugger to see what strings are produced or reverse-engineer the decoder function. Example: A line like this from the original code: csharp // This is what the obfuscated code looks like string url = global::_003CModule_003E.c(18829, 2178, 23); When executed, the function would run its decoding operation, and the URL variable would then contain: csharp // This is the real value at runtime string url = "http://api.ipify.org/?format=json"; Control-Flow Obfuscation (The “Maze of Useless Roads” Technique) This technique makes the code's logic intentionally confusing, like turning a straight road into a maze of dead ends and pointless loops that all eventually lead to the same place.
What it is: The decompiler output is filled with complex and nonsensical if-else statements, goto jumps and mathematical operations that don't actually affect the outcome. These are designed to confuse both human analysts and automated analysis tools. Why it's effective: It breaks the logical flow that a person would expect to see. It makes it hard to determine which path the code will actually take, even though in many cases, there's only one real path.
This significantly increases the time and effort required for reverse engineering. Example: There are many switch statements and goto labels (e.g., IL_00c8, IL_0138 ) that create a tangled web of execution, even though the underlying logic is a simple sequence of await Task.Run(...) . Conclusion While the core architecture and exfiltration methods via private web panels or the Telegram Bot API remain consistent, this latest variant of Gremlin stealer represents an evolution into a more complex threat.
By transitioning from a simple data exfiltration tool to a more advanced modular stealer, Gremlin now targets Chromium-based browsers. It uses memory-resident techniques to hijack active session tokens and sensitive data directly from running processes, rather than relying solely on static database files. This threat’s scope has broadened, as evidenced by a dedicated Discord token stealer. This module scans multiple paths and uses regex validation to compromise modern communication platforms.
The malware’s author has also added a clipboard hijacker. This new monetization feature enables persistent financial fraud. It continuously monitors the clipboard, replacing cryptocurrency wallet addresses with attacker-controlled ones. Palo Alto Networks Protection and Mitigation Palo Alto Networks customers are better protected from the threats discussed above through the following products: machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research. identify known domains and URLs associated with this activity as malicious. has an inbuilt machine learning-based detection that can detect exploits in real time. are designed to: Prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.
Protect against credential gathering tools and techniques using the new Credential Gathering Protection available from Cortex XDR 3.4. Detect post-exploit activity, including credential-based attacks, with behavioral analytics, through Cortex XDR Pro. If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42) UK: +44.20.3743.3660 Europe and Middle East: +31.20.299.3130 Asia: +65.6983.8730 Japan: +81.50.1790.0200 Australia: +61.2.4062.7950 India: 00080005045107 Indicators of Compromise SHA256 hashes of the Gremlin stealer samples analyzed for this article: 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b 9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614 971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759 ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346 a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd 691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3 281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2 9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20 d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c 1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5 URLs hxxp[:]194.87.92[.]109/i.php Additional Resources Gremlin Stealer: New Stealer on Sale in Underground Forum — Unit 42, Palo Alto Networks Tags API Cryptocurrency Gremlin stealer Obfuscation Payload Telegram VirusTotal Threat Research Center Next: Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1) When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization Related Malware Resources Threat Research May 11, 2026 Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools Active Directory AD CS attacks Certificate template Read now High Profile Threats May 1, 2026 Credential Harvesting GitHub Npm packages April 30, 2026 That AI Extension Helping You Write Emails?
It’s Reading Them First AI browser Browser extension GenAI April 22, 2026 When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks AirSnitch MitM April 17, 2026 Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) DDoS attacks April 8, 2026 Cracks in the Bedrock: Agent God Mode Agentcore AI agents April 7, 2026 Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox Agentcore runtime April 6, 2026 Understanding Current Threats to Kubernetes Environments Audit logs Cloud Containers April 3, 2026 Amazon Bedrock Get updates from Unit 42 Peace of mind comes from staying ahead of threats.
Subscribe today. Your Email Subscribe for email updates to all Unit 42 threat research. By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. This site is protected by reCAPTCHA and the Google Privacy Policy Terms of Service apply. Invalid captcha! Subscribe Get the latest news, invites to events, and threat alerts Enter your email now to subscribe! Sign up By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Statement Terms of Use.
Products and Services AI-Powered Network Security Platform Secure AI by Design Prisma AIRS AI Access Security Cloud Delivered Security Services Enterprise Data Loss Prevention Enterprise IoT Security Medical IoT Security Industrial OT Security SaaS Security Next-Generation Firewalls Hardware Firewalls Software Firewalls Strata Cloud Manager SD-WAN for NGFW PAN-OS Panorama Secure Access Service Edge Prisma SASE Application Acceleration Autonomous Digital Experience Management Enterprise DLP Prisma Access Prisma Browser Prisma SD-WAN Remote Browser Isolation AI-Driven Security Operations Platform Cloud Security Cortex Cloud Application Security Cloud Posture Security Cloud Runtime Security Prisma Cloud AI-Driven SOC Cortex XSIAM Cortex XSOAR Cortex Xpanse Unit 42 Managed Detection & Response Managed XSIAM Next-Generation Identity Security Privileged Access Management Identity and Access Management Endpoint Privilege Manager Identity Governance Workforce Password Management Agentic Identities Secrets Management Unified Secrets Governance Application Credentials Delivery Vendor Privileged Access Threat Intel and Incident Response Services Proactive Assessments Incident Response Transform Your Security Strategy Discover Threat Intelligence Company About Us Careers Contact Us Corporate Responsibility Customers Investor Relations Location Newsroom Popular Links Blog Communities Content Library Cyberpedia Event Center Manage Email Preferences Products A-Z Product Certifications Report a Vulnerability Sitemap Tech Docs Unit 42 Do Not Sell or Share My Personal Information Your browser does not support the video tag.
Default Heading Read the article Seekbar Volume