The Evolution of Gremlin Stealer: Sophisticated Stealth and Evasive Payload Techniques

Security researchers are sounding the alarm over a significant evolution in the Gremlin Stealer lineage. A newly identified variant has emerged, trading simple execution for high-level operational security (OPSEC) designed to slip under the radar of modern endpoint detection and response (EDR) systems.

Gremlin Stealer is a specialized information-stealing malware frequently traded within underground Telegram-based cybercrime ecosystems. Its primary mission is high-value data exfiltration, specifically targeting:

  • Financial assets (payment card details and cryptocurrency wallet files).
  • Authentication tokens (browser cookies and session tokens).
  • Infrastructure credentials (FTP, VPN, and remote access details).

Once the target is compromised, the malware aggregates this data, compresses it, and transmits it to remote command-and-control (C2) infrastructure for monetization or public disclosure.

A critical indicator of this new campaign is a recently discovered exfiltration server located at hxxp[:]194.87.92[.]109. Notably, initial scans of this infrastructure on VirusTotal yielded zero detections, a clear sign that attackers are prioritizing fresh, low-reputation infrastructure to bypass signature-based defenses.

According to a technical report from Palo Alto Networks’ Unit 42, the malware has transitioned to a more complex delivery method by concealing its malicious core within .NET resource files.

New Gremlin site (Source : Palo Alto).
New Gremlin infrastructure (Source: Unit 42).

The exfiltration workflow follows a systematic pattern: the malware archives the harvested data into a ZIP container, uniquely labeled with the victim’s public IP address to facilitate easy organization for the attacker, before uploading it to the C2 server.

Advanced Obfuscation: Payload Injection via .NET Resources

The most technical leap in this variant is its abuse of the .NET resource section. Rather than embedding raw, recognizable code that might trigger heuristic alarms, the attackers utilize a custom encoding scheme—specifically a simple XOR operation—to transform the payload into a blob of opaque, seemingly random data.

Gremlin site published data (Source : Palo Alto).
Encrypted data structures within Gremlin (Source: Unit 42).

This “living-off-the-land” style of obfuscation mirrors the tactics used by established malware families such as Agent Tesla and LokiBot. By decrypting the payload only within the system’s memory during runtime, the malware ensures that static analysis tools—which scan files on the disk—never see the true malicious intent, such as hardcoded C2 URLs or execution logic.

XOR decryption on resource section (Source : Palo Alto).
XOR decryption process observed in memory (Source: Unit 42).

Beyond the resource-based hiding, the latest iteration employs a staged execution model. This means the malware does not load its entire capability at once; instead, it fetches and decrypts specific functions only when required. This approach is bolstered by several layers of defensive coding:

  • Identifier Renaming: Stripping all semantic meaning from variables and functions to frustrate reverse engineers.
  • String Encryption: Protecting API endpoints and URLs behind custom decoding routines.
  • Control-Flow Obfuscation: Creating “spaghetti code” or non-linear execution paths to break automated de-compilers.

Perhaps most concerning is the discovery of a sample protected by a commercial packer utilizing instruction virtualization. This technique translates the original machine code into a proprietary, custom bytecode that can only be executed by a private, embedded virtual machine, making traditional disassembly almost impossible.

Packed Gremlin variant (Source : Palo Alto).
A Gremlin variant exhibiting high-level packing (Source: Unit 42).

Expanding Capabilities: From Identity Theft to Financial Fraud

Gremlin has transitioned from a simple scraper into a modular, multi-purpose toolkit. Its new modules allow for highly targeted attacks:

  • Identity Hijacking: Through Discord token theft and WebSocket-based session hijacking, attackers can bypass MFA by assuming the victim’s active web sessions.
  • Crypto-Clipping: A specialized module monitors the system clipboard. When it detects a cryptocurrency address, it instantly swaps it with the attacker’s address, facilitating seamless financial theft during transactions.

Defense & Mitigation:
To combat this evolving threat, security teams should move away from a reliance on static signatures. We recommend implementing behavioral-based detection, monitoring for unusual outbound network connections, and utilizing advanced memory inspection tools to catch decrypted payloads during runtime. The rise of Gremlin Stealer is a clear indicator that the line between commodity malware and advanced persistent threats (APTs) is rapidly blurring.

Related Articles

Back to top button