Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Gremlin Stealer is a medium-severity malware that uses advanced obfuscation techniques to hide malicious payloads within embedded resource files. It employs instruction virtualization via a private virtual machine to execute custom bytecode, complicating analysis. The malware steals sensitive data such as payment card details, browser cookies, session tokens, cryptocurrency wallet information, and FTP/VPN credentials. It exfiltrates stolen data to attacker-controlled servers at IP 194. 87. 92. 109. Recent variants have enhanced capabilities including expanded Discord token theft, real-time cryptocurrency wallet address replacement (crypto clipper), and WebSocket-based session hijacking to bypass cookie protections. It also uses anti-analysis methods like XOR-encoded payloads in . NET resources, identifier renaming, and string encryption.
AI Analysis
Technical Summary
Gremlin Stealer malware has evolved to use sophisticated commercial packing and instruction virtualization to conceal its malicious payloads within embedded resource files. This technique transforms the malware code into custom bytecode executed by a private virtual machine, making detection and analysis more difficult. The malware targets a wide range of sensitive information including payment card data, browser cookies, session tokens, cryptocurrency wallets, and FTP/VPN credentials. It exfiltrates this data to an attacker-controlled IP address (194.87.92.109). Newer versions include expanded Discord token extraction, active financial fraud via a crypto clipper that replaces cryptocurrency wallet addresses in real-time, and session hijacking over WebSocket to evade modern cookie protections. Advanced anti-analysis techniques such as XOR encoding of payloads in .NET resource sections, identifier renaming, and string encryption are also employed. No CVE or vendor advisory is available, and no official patch or remediation has been published.
Potential Impact
The malware compromises confidentiality by stealing a broad spectrum of sensitive user data including financial information, authentication tokens, and credentials. The exfiltrated data can be used for financial fraud, identity theft, and unauthorized access to victim accounts and systems. The inclusion of crypto clipper functionality enables real-time theft of cryptocurrency funds. Session hijacking and token theft further increase the risk of account compromise. The advanced obfuscation and anti-analysis techniques hinder detection and response efforts, increasing the potential for prolonged undetected compromise.
Mitigation Recommendations
There is no official patch or vendor advisory providing remediation guidance for this malware. Organizations should rely on updated endpoint detection and response solutions capable of identifying obfuscated malware and monitor for indicators such as the IP address 194.87.92.109 and associated file hashes. Employing threat intelligence feeds that include these indicators can aid in detection. Since the malware uses advanced evasion techniques, behavioral detection and network monitoring for suspicious exfiltration patterns are recommended. Users should be cautious with email attachments and downloads to prevent initial infection. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources regularly for updates.
Indicators of Compromise
- ip: 194.87.92.109
- hash: 1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5
- hash: 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b
- hash: 281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2
- hash: 691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3
- hash: 971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759
- hash: 9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614
- hash: 9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20
- hash: a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd
- hash: ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd
- hash: d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c
- hash: f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Description
Gremlin Stealer is a medium-severity malware that uses advanced obfuscation techniques to hide malicious payloads within embedded resource files. It employs instruction virtualization via a private virtual machine to execute custom bytecode, complicating analysis. The malware steals sensitive data such as payment card details, browser cookies, session tokens, cryptocurrency wallet information, and FTP/VPN credentials. It exfiltrates stolen data to attacker-controlled servers at IP 194. 87. 92. 109. Recent variants have enhanced capabilities including expanded Discord token theft, real-time cryptocurrency wallet address replacement (crypto clipper), and WebSocket-based session hijacking to bypass cookie protections. It also uses anti-analysis methods like XOR-encoded payloads in . NET resources, identifier renaming, and string encryption.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Gremlin Stealer malware has evolved to use sophisticated commercial packing and instruction virtualization to conceal its malicious payloads within embedded resource files. This technique transforms the malware code into custom bytecode executed by a private virtual machine, making detection and analysis more difficult. The malware targets a wide range of sensitive information including payment card data, browser cookies, session tokens, cryptocurrency wallets, and FTP/VPN credentials. It exfiltrates this data to an attacker-controlled IP address (194.87.92.109). Newer versions include expanded Discord token extraction, active financial fraud via a crypto clipper that replaces cryptocurrency wallet addresses in real-time, and session hijacking over WebSocket to evade modern cookie protections. Advanced anti-analysis techniques such as XOR encoding of payloads in .NET resource sections, identifier renaming, and string encryption are also employed. No CVE or vendor advisory is available, and no official patch or remediation has been published.
Potential Impact
The malware compromises confidentiality by stealing a broad spectrum of sensitive user data including financial information, authentication tokens, and credentials. The exfiltrated data can be used for financial fraud, identity theft, and unauthorized access to victim accounts and systems. The inclusion of crypto clipper functionality enables real-time theft of cryptocurrency funds. Session hijacking and token theft further increase the risk of account compromise. The advanced obfuscation and anti-analysis techniques hinder detection and response efforts, increasing the potential for prolonged undetected compromise.
Mitigation Recommendations
There is no official patch or vendor advisory providing remediation guidance for this malware. Organizations should rely on updated endpoint detection and response solutions capable of identifying obfuscated malware and monitor for indicators such as the IP address 194.87.92.109 and associated file hashes. Employing threat intelligence feeds that include these indicators can aid in detection. Since the malware uses advanced evasion techniques, behavioral detection and network monitoring for suspicious exfiltration patterns are recommended. Users should be cautious with email attachments and downloads to prevent initial infection. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources regularly for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/","https://unit42.paloaltonetworks.com/wp-content/uploads/2026/05/02_Malware_Category_1920x900.jpg"]
- Adversary
- null
- Pulse Id
- 6a073a73501adf1f890b1a5e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip194.87.92.109 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5 | — | |
hash2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b | — | |
hash281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2 | — | |
hash691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3 | — | |
hash971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759 | — | |
hash9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614 | — | |
hash9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20 | — | |
hasha9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd | — | |
hashab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd | — | |
hashd11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c | — | |
hashf76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346 | — |
Threat ID: 6a076b3aec166c07b0809087
Added to database: 5/15/2026, 6:51:38 PM
Last enriched: 5/15/2026, 7:06:55 PM
Last updated: 5/16/2026, 6:27:41 AM
Views: 92
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.