Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

This analysis examines new obfuscation techniques employed by Gremlin stealer malware to conceal malicious payloads within embedded resources. A variant protected by sophisticated commercial packing utility uses instruction virtualization, transforming code into custom bytecode executed by a private virtual machine. The malware siphons sensitive information including payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP/VPN credentials from compromised systems. It exfiltrates data to attacker-controlled servers at hxxp[:]194.87.92[.]109 for potential publication or sale. Recent iterations incorporate expanded Discord token extraction, active financial fraud through crypto clipper functionality that replaces cryptocurrency wallet addresses in real-time, and WebSocket-based session hijacking to bypass modern cookie protections. The malware employs advanced anti-analysis techniques including XOR-encoded payloads in .NET resource sections, identifier renaming, string encryp...

Pulse ID: 6a073a73501adf1f890b1a5e
Pulse Link: https://otx.alienvault.com/pulse/6a073a73501adf1f890b1a5e
Pulse Author: AlienVault
Created: 2026-05-15 15:23:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Discord #FinancialFraud #ICS #InfoSec #Mac #Malware #NET #OTX #OpenThreatExchange #RAT #RCE #Troll #VPN #bot #cryptocurrency #AlienVault