Gremlin Stealer hides C2 servers and exfiltration paths inside encrypted resources

Security researchers have analyzed a newer Gremlin Stealer variant that hides its command-and-control details and upload paths inside encrypted .NET resource sections. The change makes the malware harder to inspect with static analysis tools because key strings no longer appear plainly inside the executable.

Unit 42 said the variant exfiltrates stolen data to a newly deployed attacker-controlled site and uses multiple layers of obfuscation to slow analysis. The malware targets browser data, cookies, session tokens, cryptocurrency wallet data, clipboard contents, FTP credentials, and VPN credentials.

The bigger concern is the direction of travel. Gremlin started as a more visible credential stealer, but newer samples now use packing, resource-based payload hiding, string encryption, and staged loading to reduce detection opportunities.

What Gremlin Stealer targets

Gremlin Stealer is information-stealing malware sold to cybercriminals as a ready-to-use tool. It focuses on data that helps attackers take over accounts, steal money, or sell access to other criminals.

Unit 42’s earlier Gremlin analysis said the malware has been active since March 2025 and was advertised with modules for stealing browser data, cryptocurrency wallet files, FTP credentials, VPN data, Telegram sessions, Discord sessions, screenshots, and system information.

After collecting the data, Gremlin packages stolen files into a ZIP archive and uploads them to attacker-controlled infrastructure. Unit 42 said the archive naming can include the victim’s public IP address, helping operators track where stolen data came from.

Target category	Examples of data Gremlin can seek
Browsers	Cookies, saved passwords, cards, forms, and session tokens
Crypto wallets	Wallet files and clipboard cryptocurrency addresses
Messaging apps	Discord tokens and Telegram session data
Remote access tools	FTP and VPN credentials
System data	Hardware details, screenshots, clipboard contents, and local files

Encrypted resources hide the malware’s core settings

The most important change in the newer variant is where Gremlin stores operational data. Instead of leaving C2 URLs, paths, and useful strings in readable form, the malware places them inside the .NET resource section.

That resource data appears meaningless until it is decoded. The Unit 42 research says analysts recovered the plain-text configuration by applying a single-byte XOR decryption routine, which revealed hard-coded C2 URLs and exfiltration paths.

This technique weakens basic signature scanning. A security tool that only looks for known strings, plain URLs, or simple patterns may not see anything useful until the malware decrypts the data at runtime.

Gremlin now uses multiple anti-analysis layers

The resource hiding is only one part of the newer Gremlin build. Unit 42 also found a packed sample that used a complex commercial packing utility, transforming parts of the original program into custom bytecode executed by a private virtual machine.

The malware also uses identifier renaming, string encryption, and control-flow obfuscation. These tricks remove meaningful function names, decrypt strings only when needed, and add confusing branches or jumps to make decompiled output harder to understand.

• Resource section hiding stores configuration data away from plain code.
• XOR encoding conceals C2 details and upload paths.
• String encryption hides keywords and operational strings until runtime.
• Identifier renaming removes useful labels from classes, methods, and variables.
• Control-flow obfuscation adds fake logic and confusing branches.
• Packing and staged loading force deeper dynamic analysis.

Newer modules expand the damage

Gremlin’s evolution is not limited to hiding better. Unit 42 said the newer variant added a dedicated Discord token stealer and a cryptocurrency clipboard hijacker.

The clipboard hijacker watches for cryptocurrency wallet address patterns. If a victim copies a wallet address, the malware can replace it with an attacker-controlled address before the victim completes a transaction.

The Discord token module creates a different risk. Stolen tokens can let attackers access accounts, impersonate users, spread malware, or collect more information from private communities and direct messages.

Why static detection is not enough

Static analysis remains useful, but this Gremlin variant shows why defenders need more than string matching. When malware authors encrypt resources, hide strings, and decrypt functions only when needed, much of the malicious logic stays hidden until execution.

The newer sample also mirrors tactics used by other malware families that bury payloads or configuration data inside resource sections. That approach helps attackers hide network indicators and delay analysis long enough for campaigns to keep running.

Behavioral detection becomes more important in this situation. Security tools should watch what the program does after launch, including file collection, browser data access, archive creation, clipboard monitoring, and outbound uploads.

What defenders should monitor

Gremlin Stealer’s behavior leaves signals even when its strings are hidden. Defenders should watch for programs that access browser storage, credential stores, wallet files, messaging app sessions, and clipboard contents without a clear business reason.

• Unexpected access to browser cookie, password, and session storage.
• Creation of ZIP archives containing credential or browser data.
• Outbound uploads to newly registered or low-reputation web panels.
• Processes reading cryptocurrency wallet directories or wallet.dat files.
• Clipboard monitoring followed by cryptocurrency address replacement.
• Access to Discord, Telegram, FTP, and VPN credential locations.
• Suspicious .NET binaries with encrypted resources or packed sections.

Organizations should also treat stealer infections as credential exposure incidents. Removing the malware is not enough if the attacker already collected session cookies, tokens, passwords, wallet data, or VPN credentials.

How to respond to a Gremlin infection

Incident response should start with isolating the affected endpoint and preserving evidence. Teams should then identify which accounts, browsers, wallets, and tools existed on the compromised system.

The next step is credential rotation. Passwords, session tokens, browser cookies, Git credentials, VPN credentials, FTP credentials, cloud keys, messaging tokens, and cryptocurrency wallet access should be reviewed based on what the infected machine contained.

• Disconnect the host from the network before cleanup.
• Collect forensic data before wiping or reimaging the device.
• Reset passwords from a clean device.
• Revoke active browser sessions and authentication tokens.
• Rotate VPN, FTP, cloud, and developer credentials.
• Check cryptocurrency wallets for unauthorized transactions.
• Review email and messaging accounts for suspicious activity.

Why Gremlin’s evolution matters

Gremlin is part of a wider stealer trend where malware families move quickly from simple credential theft to modular data harvesting, session hijacking, and anti-analysis engineering. That makes even low-cost malware more dangerous over time.

The original Unit 42 report showed Gremlin as a stealer sold through underground channels with a broad feature list. The newer research shows the same malware line moving toward stronger stealth and better resistance to reverse engineering.

For defenders, the key lesson is simple: do not rely only on known IoCs or readable strings. Stealers increasingly hide configuration data, rotate infrastructure, and use runtime-only behavior that demands endpoint telemetry and network visibility.

Organizations should strengthen browser credential protections, reduce stored secrets on workstations, block suspicious outbound uploads, and treat unusual access to browser or wallet data as a high-priority alert.

FAQ