惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
量子位
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tenable Blog
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
T
Threat Research - Cisco Blogs
Latest news
Latest news
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
NISL@THU
NISL@THU
T
Tor Project blog
Hacker News: Ask HN
Hacker News: Ask HN
V2EX - 技术
V2EX - 技术
T
The Exploit Database - CXSecurity.com
博客园 - 三生石上(FineUI控件)
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
博客园 - 叶小钗
博客园 - 聂微东
Last Week in AI
Last Week in AI
爱范儿
爱范儿
腾讯CDC
博客园 - Franky
美团技术团队
J
Java Code Geeks
O
OpenAI News
L
Lohrmann on Cybersecurity
Simon Willison's Weblog
Simon Willison's Weblog
有赞技术团队
有赞技术团队
T
Threatpost
G
GRAHAM CLULEY
Hugging Face - Blog
Hugging Face - Blog
博客园 - 【当耐特】
宝玉的分享
宝玉的分享
I
Intezer
N
News and Events Feed by Topic
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
S
Security @ Cisco Blogs
Forbes - Security
Forbes - Security
N
News | PayPal Newsroom
Stack Overflow Blog
Stack Overflow Blog
Scott Helme
Scott Helme
H
Hacker News: Front Page
Cloudbric
Cloudbric

Unit 42

AI, Automation and Attacks: Unpacking the Unit 42 2026 Global Incident Response Report TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development No Manners Here: The Ruthless Rise of The Gentlemen Ransomware Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation How We Added WebAuthn to a Browser-Based RDP Client Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration Threat Brief: Mitigating Large-Scale Credential Attacks Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE Inside the Modern SOC: The 72-Minute Race Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered Trust No Skill: Integrity Verification for AI Agent Supply Chains Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility When “Hi, This Is IT” Comes Through Microsoft Teams Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface Out of the Crypt: The Evolving Cyber Extortion Economy Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns Paved With Intent: ROADtools and Nation-State Tactics in the Cloud Tracking TamperedChef Clusters via Certificate and Code Reuse Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Essential Data Sources for Detection Beyond the Endpoint That AI Extension Helping You Write Emails? It’s Reading Them First TGR-STA-1030: New Activity in Central and South America Frontier AI and the Future of Defense: Your Top Questions Answered Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Pranay Kumar Chhaparwal, Mark Lim · 2026-05-15 · via Unit 42

Executive Summary

This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine.

Gremlin stealer siphons sensitive information from compromised systems and exfiltrates it to attacker‑controlled servers for potential publication or sale. It targets web browsers, system clipboard and local storage to exfiltrate sensitive information like:

  • Payment card details
  • Browser cookies
  • Session tokens
  • Cryptocurrency wallet data
  • FTP and VPN credentials

This threat has rapidly evolved, incorporating new anti-analysis safeguards into recent builds.

Palo Alto Networks customers are better protected from Gremlin Stealer through our Network Security solutions and Cortex line of products, including:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

New Gremlin Site for Publishing Data

Using data from our internal threat intelligence, we identified a new Gremlin stealer variant. This variant exfiltrates stolen data to a newly deployed site at hxxp[:]194.87.92[.]109 as shown in Figure 1.

Screenshot of a computer screen displaying a login interface for "GREMLIN" on a dark background. It includes input fields for username and password, with a prominent green "Login" button.
Figure 1. New Gremlin site.

At the time of discovery, VirusTotal showed zero detection for this new Gremlin site hxxp[:]194.87.92[.]109, its associated URLs or any retrieved artifacts. There were no block list entries, community reports or malicious categorizations as shown in Figure 2.

Screenshot of a VirusTotal webpage analyzing a URL. The analysis shows 0 out of 71 security vendors flagged the URL as malicious. Status is 200 with the content type listed. Tabs for details, relations, content, telemetry, and community are visible.
Figure 2. Gremlin Stealer’s new site detection on VirusTotal.

After data theft, the malware bundles harvested artifacts into a ZIP archive, including:

  • Browser cookies
  • Session tokens
  • Clipboard contents
  • Cryptocurrency wallet data
  • FTP and VPN credentials

The malware names the file using the victim’s public IP address to identify the source, and then uploads it to the attacker-controlled site, as shown in Figure 3.

Screenshot of a dashboard interface of the "Gremlin" application displaying statistics such as the number of online devices (11), data usage (0.83 MB), and uptime (12:40:52). The interface includes sections with buttons labeled in Russian for each device, showing options to "Online" and "Delete.
Figure 3. Gremlin site published data.

Technical Analysis

In this section, we present a comparative analysis of older and newer Gremlin stealer variants, highlighting the key changes and describing our process for extracting the final-stage payloads.

Hiding Payload in Resource

The latest iteration of the Gremlin stealer has an increased focus on stealth, specifically designed to evade static analysis tools. In this version, the malware authors have shifted the malicious payload into the .NET Resource section, masking it with XOR encoding to bypass signature-based detection and heuristic scanning.

Figure 4 shows how the resource section appears as an opaque block of data, hiding strings and API calls that would otherwise trigger alerts.

Screenshot of a hex editor displaying hexadecimal code on the right pane and a directory tree on the left, including folders like "Version Info" and "Configuration Files." The displayed code includes both hexadecimal and ASCII representations.
Figure 4. Resource section.

By applying a single-byte XOR decryption routine, we recovered the plain-text configuration. Figure 5 shows that this reveals the hard-coded command-and-control (C2) URLs and exfiltration paths.

Screenshot of a text document showing a process for XOR decryption and URL extraction. The text notes successful URL findings with keys 20, 31, and 49. The process concludes with a message stating "Decryption and URL extraction complete".
Figure 5. XOR decryption on resource section.

Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including:

Comparison with Older Version

Comparing past and present versions reveals a clear evolution in Gremlin stealer’s anti-analysis techniques. Legacy samples (shown in Figure 6) lacked obfuscation, leaving function exports and internal symbols intact.

Two side-by-side screenshots of code editors. The left screenshot displays an older version with a list of entities like "AesCrypto," "Armory," "Asset," and others under the namespace "SHAPP." The right screenshot shows the latest version, also under "SHAPP," with a longer list including additional entries or modified ones. Both have red outlines highlighting the lists.
Figure 6. Gremlin older version vs. latest version.

The current iteration implements a staged loading mechanism. Each critical function is decrypted and mapped into memory from the .NET resource section only when needed. This method forces analysts to perform dynamic debugging to observe any meaningful program behavior.

Key Enhancements in the Latest Variant

Gremlin stealer’s evolution from a basic credential harvester to a modular toolkit is evident in several key architectural upgrades:

  • Expanded target scope: Gremlin stealer includes a dedicated Discord token extraction module, which signifies a pivot toward targeting digital identity and social engineering.
  • Active financial fraud: The latest variant shifts from passive data theft to active financial interference. This crypto clipper functionality continuously monitors the system clipboard for strings matching cryptocurrency wallet patterns. When it detects a match, the malware replaces the victim's address with the attacker’s wallet in real time, diverting funds during transactions.
  • Advanced persistence: The WebSocket-based session hijacking module represents its most significant technical upgrade. This allows Gremlin stealer to hijack active, live browser sessions and bypass modern cookie protections by requesting the data directly from the running browser process.

Sample Packed Using a Complex Commercial Packing Utility

We uncovered an iteration of Gremlin stealer (SHA256 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b) packed using a packing utility, as shown in Figure 7 below.

Screenshot of Exeinfo PE software window displaying file information. The header shows version 0.0.9.0 by A.S.L. The main section includes details about a file named '217.exe', such as entry point, file offset, and subsystem. A section below highlights "(PACKED mode)". Various buttons and icons are visible on the right
Figure 7. Packed Gremlin variant.

Let’s discuss the obfuscation and anti-analysis techniques this variant uses.

Code Obfuscation and Anti Analysis

Identifier Renaming (The “No-Labels” Technique)

Imagine trying to cook in a kitchen where every can, box and spice jar has its label replaced with a random, short name like a, b, c, hf or ze. The malware authors applied this technique to the variant’s code.

  • What it is: They replaced every meaningful name for a class, method or variable with a meaningless one.
  • Why it's effective: It removes all context. A method originally named StealPasswordsFromChrome might become a(). A variable named decryptionKey might become b. This forces an analyst to manually trace every single function call to figure out its purpose, which is incredibly time-consuming.
  • Example: In the file hf.cs, the main orchestrator class is named hf, and its primary methods are a, b and c. In bb.cs, the class for stealing browser data is BrowserCredentialStealer, but in the original obfuscated code, it was just bb.
String Encryption (The “Secret Decoder Ring” Technique)

In this technique, malware authors made readable strings appear as gibberish. Instead of writing a word like password or a URL like hxxps://api[.]telegram[.]org directly in the code, the malware stores them encrypted.

  • What it is: All important strings are hidden. The code only contains numbers that act as a key to a secret decoder function. When the program needs a string, it passes these numbers to the decoder, which then returns the real string.
  • The decoder ring function: The secret decoder is the method _003CModule_003E.c(int, int, int).
    • It takes three integers as input
    • It uses these numbers to calculate an offset and a length
    • It opens an embedded resource file (named resource in the .csproj file) which contains all the encrypted strings
    • It seeks the calculated offset, reads the specified number of encrypted bytes and uses the third integer as a key to decrypt them
    • It returns the final, readable string
  • Why it's effective: It completely hides the malware's intentions from static analysis. Analysts cannot simply search the code for suspicious keywords like Telegram, wallet.dat or api.ipify[.]org because they don't exist in plain text. Instead, analysts must either run the program in a debugger to see what strings are produced or reverse-engineer the decoder function.
  • Example: A line like this from the original code:

csharp

// This is what the obfuscated code looks like

string url = global::_003CModule_003E.c(18829, 2178, 23);

When executed, the c() function would run its decoding operation, and the URL variable would then contain: csharp

// This is the real value at runtime

string url = "http://api.ipify.org/?format=json";

Control-Flow Obfuscation (The “Maze of Useless Roads” Technique)

This technique makes the code's logic intentionally confusing, like turning a straight road into a maze of dead ends and pointless loops that all eventually lead to the same place.

  • What it is: The decompiler output is filled with complex and nonsensical if-else statements, goto jumps and mathematical operations that don't actually affect the outcome. These are designed to confuse both human analysts and automated analysis tools.
  • Why it's effective: It breaks the logical flow that a person would expect to see. It makes it hard to determine which path the code will actually take, even though in many cases, there's only one real path. This significantly increases the time and effort required for reverse engineering.
  • Example: There are many switch statements and goto labels (e.g., IL_00c8, IL_0138) that create a tangled web of execution, even though the underlying logic is a simple sequence of await Task.Run(...).

Conclusion

While the core architecture and exfiltration methods via private web panels or the Telegram Bot API remain consistent, this latest variant of Gremlin stealer represents an evolution into a more complex threat. By transitioning from a simple data exfiltration tool to a more advanced modular stealer, Gremlin now targets Chromium-based browsers. It uses memory-resident techniques to hijack active session tokens and sensitive data directly from running processes, rather than relying solely on static database files.

This threat’s scope has broadened, as evidenced by a dedicated Discord token stealer. This module scans multiple paths and uses regex validation to compromise modern communication platforms.

The malware’s author has also added a clipboard hijacker. This new monetization feature enables persistent financial fraud. It continuously monitors the clipboard, replacing cryptocurrency wallet addresses with attacker-controlled ones.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
  • Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.
  • Cortex XDR and XSIAM are designed to:
    • Prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.
    • Protect against credential gathering tools and techniques using the new Credential Gathering Protection available from Cortex XDR 3.4.
    • Detect post-exploit activity, including credential-based attacks, with behavioral analytics, through Cortex XDR Pro.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Indicators of Compromise

SHA256 hashes of the Gremlin stealer samples analyzed for this article:

  • 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b
  • 9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614
  • 971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759
  • ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd
  • f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346
  • a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd
  • 691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3
  • 281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2
  • 9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20
  • d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c
  • 1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5

URLs

  • hxxp[:]194.87.92[.]109/i.php

Additional Resources