A newly analyzed variant of the Gremlin stealer malware is raising alarms across the threat intelligence community. Researchers at Palo Alto Networks’ Unit 42 have uncovered a significantly evolved version of this credential-theft tool that hides its command-and-control (C2) addresses and data exfiltration paths inside encrypted resource sections of a compiled .NET program — a technique that makes it nearly invisible to traditional static scanning methods.
What Is Gremlin Stealer?
Gremlin stealer first appeared on underground forums, sold as a ready-to-use credential theft tool. It targets web browsers, clipboard contents, and local storage to pull out payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP and VPN credentials. Once it gathers this data, the malware bundles everything into a ZIP archive named after the victim’s public IP address and quietly uploads it to an attacker-controlled web panel for download or resale.
The latest builds show a sharp turn toward stealth, layering multiple anti-analysis tricks to frustrate both automated tools and human researchers. Legacy Gremlin samples had no obfuscation at all — function names and class labels were left exposed in plain sight. The new variant represents a fundamental architectural shift toward evasion.
Encrypted Resource Sections: The Key Innovation
The most significant technical change in this variant is where the malware stores its core configuration. Rather than embedding C2 URLs as readable strings in the code, the authors have moved that data into the .NET resource section, scrambled with XOR encoding. The resource block appears as a meaningless wall of raw data to any static analysis tool. When researchers applied a single-byte XOR decryption routine, they recovered the plaintext configuration including hard-coded server addresses and upload paths.
Unit 42 identified a new Gremlin variant pushing stolen data to a freshly deployed server at hxxp[:]194.87.92[.]109. At the time of discovery, no security vendor on VirusTotal had flagged the site as malicious, meaning the infrastructure was running completely under the radar. This technique mirrors tactics used by established malware families like Agent Tesla, GuLoader, LokiBot, and Quasar RAT.
Three Layers of Obfuscation
Beyond hiding C2 data in resources, this variant uses three distinct obfuscation layers to slow down analysis:
- Identifier renaming: Every class, method, and variable has been swapped with a meaningless short label like
a,b,hf, orbb, removing any context that would help a researcher understand what a function does. - String encryption: Rather than writing readable words like “password” or server addresses directly in the code, the malware stores all strings encrypted and decodes them at runtime using an internal function. Analysts searching for keywords like “Telegram” or “wallet.dat” will find nothing.
- Control-flow obfuscation: The decompiled output is flooded with fake branches, pointless loops, and goto jumps that lead nowhere meaningful. Even though the actual logic is often a simple sequence of steps, the surrounding noise makes the code appear extraordinarily complex.
Expanded Capabilities: Discord Tokens and Clipboard Hijacking
The malware has also broadened what it targets in this new variant. Beyond browser credentials and crypto wallets, it now includes a dedicated module to steal Discord tokens, giving attackers access to the victim’s online accounts and community memberships. A clipboard hijacker has also been added, silently swapping any cryptocurrency wallet address a victim copies with one controlled by the attacker, diverting funds in real time.
The current variant also uses a staged loading approach, meaning each function is only decrypted and placed into memory when needed. This forces analysts to use live debugging tools to observe the malware’s actual behavior, since nothing meaningful shows up in a static review.
Key Indicators of Compromise
Organizations and security teams should monitor for the following indicators:
- C2 IP: hxxp[:]194.87.92[.]109/i.php (Gremlin stealer exfiltration server)
- SHA256 (packed sample): 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b
Defensive Recommendations
Organizations are strongly advised to rely on behavioral detection tools rather than signature-based scanning alone, as this malware is specifically engineered to defeat static analysis. Key mitigations include deploying endpoint detection and response (EDR) solutions that monitor runtime behavior, blocking outbound connections to newly registered or unclassified infrastructure, and training users to recognize phishing delivery mechanisms commonly used to deploy stealers. Regular credential rotation and monitoring of dark web markets for leaked organizational data are also recommended.