Gremlin Stealer is a newly identified information-stealing malware written in C# and actively advertised on underground forums such as Telegram since March 2025. This malware targets a broad spectrum of sensitive data including browser information from Chromium and Gecko-based browsers, cryptocurrency wallets, FTP and VPN credentials, as well as Telegram and Discord session data. Notably, it can bypass Chrome's cookie V20 protection, a significant security feature designed to prevent unauthorized cookie access, increasing the stealth and effectiveness of the malware. Once the malware collects the targeted data, it compresses it into a ZIP archive and exfiltrates it to an attacker-controlled web server using a Telegram bot, leveraging Telegram's API for covert data transmission. The malware also collects system information, which can be used for further exploitation or victim profiling. Although no known exploits in the wild have been reported yet, the active marketing of Gremlin Stealer suggests potential for widespread deployment. The use of Telegram both as a distribution channel and as a command-and-control mechanism highlights evolving threat actor tactics to evade detection and leverage popular communication platforms. The malware’s capability to steal credentials from VPNs and FTP clients poses a risk to enterprise environments where such tools are commonly used for secure remote access and file transfers. Targeting cryptocurrency wallets indicates a focus on financially motivated attacks. Overall, Gremlin Stealer represents a sophisticated and evolving threat that combines multiple data theft techniques with stealthy exfiltration methods, emphasizing the need for enhanced endpoint security and monitoring.

For European organizations, Gremlin Stealer poses significant risks, especially for sectors heavily reliant on VPNs, FTP services, and web browsers for daily operations. The theft of VPN and FTP credentials can enable unauthorized access to internal networks and sensitive data repositories, potentially leading to data breaches and lateral movement within corporate environments. Compromise of browser data, including cookies and session tokens, can facilitate account takeovers and deeper infiltration. The malware’s ability to bypass Chrome's cookie V20 protection increases the risk of stealthy credential theft from widely used browsers, affecting a large user base. Targeting cryptocurrency wallets may impact financial institutions, fintech companies, and individuals involved in crypto trading or asset management. Exfiltration of Telegram and Discord session data could expose internal communications and collaboration channels, leading to information leakage and operational disruption. The use of Telegram for data exfiltration complicates detection and blocking efforts, as Telegram is widely used for legitimate purposes. The overall impact includes potential financial losses, reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The threat is particularly concerning for organizations with remote workforces and those in critical infrastructure sectors where VPN and secure communication tools are essential.

To mitigate the risks posed by Gremlin Stealer, European organizations should implement targeted and practical measures beyond generic advice: 1) Deploy advanced endpoint detection and response (EDR) solutions with behavioral analytics capable of identifying unusual data compression and exfiltration activities, especially those involving Telegram API usage. 2) Enforce strict application whitelisting and code execution policies to prevent unauthorized C# binaries from running. 3) Harden browser security by disabling or restricting vulnerable browser extensions and regularly updating browsers to the latest versions to minimize exploitation of cookie protections. 4) Implement multi-factor authentication (MFA) for VPN, FTP, and web services to reduce the impact of credential theft. 5) Monitor network traffic for anomalous connections to Telegram bot APIs or unusual outbound traffic patterns using network intrusion detection systems (NIDS) tuned to detect such behaviors. 6) Educate employees about phishing and social engineering tactics that may deliver such malware, emphasizing caution with unsolicited Telegram messages or links. 7) Regularly audit and rotate credentials for VPN, FTP, and critical services to limit attackers’ window of opportunity. 8) Use hardware or software-based cryptocurrency wallet solutions with strong isolation to protect digital assets. 9) Employ data loss prevention (DLP) tools to detect and block unauthorized data exfiltration attempts. 10) Maintain up-to-date backups and incident response plans tailored to information-stealing malware scenarios.