Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Essential information
- Published
- 15/05/2026 17:23
- Modified
- 15/05/2026 19:14
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- agent tesla credential harvesting cryptocurrency clipper discord token theft gremlin stealer guloader infostealer lokibot obfuscation techniques quasar rat session hijacking telegram exfiltration
- Tags
- 2026-05-15 agent-tesla credential harvesting cryptocurrency clipper discord token theft gremlin stealer guloader infostealer lokibot obfuscation techniques quasar rat session hijacking telegram exfiltration
- Related entities
- 12 indicators, 12 observables, 20 techniques (mitre), 5 malware
Description
This analysis examines new obfuscation techniques employed by Gremlin stealer malware to conceal malicious payloads within embedded resources. A variant protected by sophisticated commercial packing utility uses instruction virtualization, transforming code into custom bytecode executed by a private virtual machine. The malware siphons sensitive information including payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP/VPN credentials from compromised systems. It exfiltrates data to attacker-controlled servers at hxxp[:]194.87.92[.]109 for potential publication or sale. Recent iterations incorporate expanded Discord token extraction, active financial fraud through crypto clipper functionality that replaces cryptocurrency wallet addresses in real-time, and WebSocket-based session hijacking to bypass modern cookie protections. The malware employs advanced anti-analysis techniques including XOR-encoded payloads in .NET resource sections, identifier renaming, string encryp...