A newly analyzed variant of the Gremlin stealer malware has raised alarms by hiding its command-and-control (C2) addresses and data exfiltration paths inside encrypted resource sections of a compiled program.
This approach makes the malware harder to detect through traditional scanning, allowing it to operate silently on infected systems before stealing sensitive data.
Gremlin stealer first appeared on underground forums, sold as a ready-to-use credential theft tool. It targets web browsers, clipboard contents, and local storage to pull out payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP and VPN credentials.
Once it gathers this data, the malware bundles everything into a ZIP archive named after the victim’s public IP address and quietly uploads it to an attacker-controlled web panel for download or resale.
Analysts at Unit 42, the threat intelligence division of Palo Alto Networks, said in a report shared with Cyber Security News (CSN) that they identified a new Gremlin variant pushing stolen data to a freshly deployed server at hxxp[:]194.87.92[.]109.
At the time of discovery, no security vendor on VirusTotal had flagged the site as malicious, meaning the infrastructure was running completely under the radar.
What makes this variant particularly concerning is how quickly it has evolved. Legacy Gremlin samples had no obfuscation at all, with function names and class labels left exposed in plain sight.
The latest builds show a sharp turn toward stealth, layering multiple anti-analysis tricks to frustrate both automated tools and human researchers.
The malware has also broadened what it targets. Beyond browser credentials and crypto wallets, it now includes a dedicated module to steal Discord tokens, giving attackers access to the victim’s online accounts.
A clipboard hijacker has also been added, silently swapping any cryptocurrency wallet address a victim copies with one controlled by the attacker, diverting funds in real time.
Gremlin Stealer Stores C2 URLs and Exfiltration Paths
The most significant technical change is where the malware stores its core configuration. Rather than embedding C2 URLs as readable strings, the authors have moved that data into the .NET resource section, scrambled with XOR encoding.
The resource block appears as a meaningless wall of raw data to any static analysis tool. When researchers applied a single-byte XOR decryption routine, they recovered the plaintext configuration including hard-coded server addresses and upload paths.
This technique mirrors tactics used by malware families like Agent Tesla, GuLoader, LokiBot, and Quasar RAT, which rely on the resource section to bury their payloads.
The current variant also uses a staged loading approach, meaning each function is only decrypted and placed into memory when needed.
This forces analysts to use live debugging tools to observe the malware’s actual behavior, since nothing meaningful shows up in a static review.
Deep Code Obfuscation Blocks Reverse Engineering
Beyond hiding C2 data in resources, this variant uses three distinct obfuscation layers to slow down analysis.
The first is identifier renaming, where every class, method, and variable has been swapped with a meaningless short label like a, b, hf, or bb, removing any context that would help a researcher understand what a function does.
The second layer is string encryption. Rather than writing readable words like “password” or server addresses directly in the code, the malware stores all strings encrypted and decodes them at runtime using an internal function.
Analysts searching for keywords like “Telegram” or “wallet.dat” will find nothing. The third layer is control-flow obfuscation, which floods the decompiled output with fake branches, pointless loops, and goto jumps that lead nowhere meaningful.
Even though the actual logic is often a simple sequence of steps, the surrounding noise makes the code appear extraordinarily complex.
Organizations are strongly advised to rely on behavioral detection tools rather than signature-based scanning alone, as this malware is specifically engineered to defeat static analysis.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP / URL | hxxp[:]194.87.92[.]109/i.php | Gremlin stealer C2 exfiltration server |
| SHA256 | 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b | Packed Gremlin stealer sample (217.exe) |
| SHA256 | 9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614 | Gremlin stealer sample |
| SHA256 | 971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759 | Gremlin stealer sample |
| SHA256 | ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd | Gremlin stealer sample |
| SHA256 | f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346 | Gremlin stealer sample |
| SHA256 | a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd | Gremlin stealer sample |
| SHA256 | 691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3 | Gremlin stealer sample |
| SHA256 | 281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2 | Gremlin stealer sample |
| SHA256 | 9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20 | Gremlin stealer sample |
| SHA256 | d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c | Gremlin stealer sample |
| SHA256 | 1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5 | Gremlin steal |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
