A new version of the Gremlin stealer has evolved from a basic credential harvester into a modular toolkit, according to researchers at Palo Alto Networks’ Unit 42.
The infostealer first emerged in April 2025, now just 12 months later the threat has rapidly evolved with new obfuscation techniques and new anti-analysis safeguards into recent builds.
Gremlin stealer siphons sensitive information from compromised systems and exfiltrates it to attacker‑controlled servers for potential publication or sale. It targets web browsers, system clipboard and local storage.
The new variant has an increased focus on stealth and is specifically designed to evade static analysis tools, according to the research.
This includes the malware authors shifting the malicious payload into the .NET Resource section, masking it with XOR encoding to bypass signature-based detection and heuristic scanning.
The core architecture and exfiltration methods via private web panels or the Telegram Bot API remain consistent with older versions.
New Data Publication Site
The new variant exfiltrates stolen data to a newly deployed site (hxxp[:]194.87.92[.]109).
What is troubling is that Unit 42’s analysis said when it discovered the new data publication site, VirusTotal showed zero detection of the new site, its associated URLs or any retrieved artifacts. There were no block list entries, community reports or malicious categorizations.
After data theft, the malware bundles harvested artifacts into a ZIP archive, including:
- Browser cookies
- Session tokens
- Clipboard contents
- Cryptocurrency wallet data
- FTP and VPN credentials
The malware names the file using the victim’s public IP address to identify the source and then uploads it to the attacker-controlled site.
Key Enhancements in Latest Gremlin Variant
Analysts at Palo Alto Networks’ Unit 42 say the latest variant now includes a dedicated module to extract Discord tokens, which can be used to target digital identities through social engineering attacks.
At the same time, the malware has taken a more aggressive turn financially. Researchers observed the addition of “crypto clipper” functionality, enabling Gremlin to actively interfere with cryptocurrency transactions.
By monitoring the victim’s clipboard for wallet addresses and swapping them with attacker-controlled addresses, the malware can redirect funds in real time without the user’s knowledge.
The updated version also introduces a WebSocket-based session hijacking capability, which allows attackers to hijack active browser sessions directly from the running process, bypassing modern cookie protections and giving them immediate access to authenticated accounts.
“This latest variant of Gremlin stealer represents an evolution into a more complex threat. By transitioning from a simple data exfiltration tool to a more advanced modular stealer, Gremlin now targets Chromium-based browsers,” the researchers noted.
