{ "name": "Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files", "slug": "gremlin-stealers-evolved-tactics-hiding-in-plain-sight-with-resource-files", "description": "This analysis examines new obfuscation techniques employed by Gremlin stealer malware to conceal malicious payloads within embedded resources. A variant protected by sophisticated commercial packing utility uses instruction virtualization, transforming code into custom bytecode executed by a private virtual machine. The malware siphons sensitive information including payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP/VPN credentials from compromised systems. It exfiltrates data to attacker-controlled servers at hxxp[:]194.87.92[.]109 for potential publication or sale. Recent iterations incorporate expanded Discord token extraction, active financial fraud through crypto clipper functionality that replaces cryptocurrency wallet addresses in real-time, and WebSocket-based session hijacking to bypass modern cookie protections. The malware employs advanced anti-analysis techniques including XOR-encoded payloads in .NET resource sections, identifier renaming, string encryp...", "published": "2026-05-15T15:23:31.567000+00:00", "created_at": "2026-05-15T19:14:26.824000+00:00", "modified_at": "2026-05-15T17:14:26+00:00", "created_at_opencti": "2026-05-15T19:14:26.824000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "agent tesla", "credential harvesting", "cryptocurrency clipper", "discord token theft", "gremlin stealer", "guloader", "infostealer", "lokibot", "obfuscation techniques", "quasar rat", "session hijacking", "telegram exfiltration" ], "tags": [ "2026-05-15", "agent-tesla", "credential harvesting", "cryptocurrency clipper", "discord token theft", "gremlin stealer", "guloader", "infostealer", "lokibot", "obfuscation techniques", "quasar rat", "session hijacking", "telegram exfiltration" ], "related_entities": { "indicators": [ { "id": "9b2ce044-2c84-41d8-8a46-96885ad5dae1", "name": "971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759" }, { "id": "5eef3b1b-5812-4f8f-af76-4310cd69e139", "name": "f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346" }, { "id": "08e07f4a-3335-4578-bed5-13a5d0d67824", "name": "194.87.92.109" }, { "id": "d4951b76-e603-41a1-8c18-65f8ed72b4b3", "name": "9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614" }, { "id": "198a311f-8444-4eae-96d0-ff9a6cd19e94", "name": "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b" }, { "id": "4f1037f4-1075-4dd5-8ac6-3bd7bdb03bf6", "name": "a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd" }, { "id": "7b1cc057-05ee-48d7-bea5-a5bc2cdecc5b", "name": "ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd" }, { "id": "66e99f1e-6e7e-417a-8bb1-ede9e0308046", "name": "691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3" }, { "id": "b7b270b4-99e4-4a07-b2b1-9aed583b68c7", "name": "281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2" }, { "id": "41748193-edcc-47ad-9d9f-8f7891b914a7", "name": "d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c" }, { "id": "840aa9a8-57a2-4ee8-a157-6c42a2f46abc", "name": "9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20" }, { "id": "03f60365-0109-4a70-99d3-bf11fff2ef6e", "name": "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5" } ], "attack_patterns": [ { "id": "785e04ec-d651-49c5-9271-d75c267624c9", "name": "T1032" }, { "id": "8634c845-2e3a-4ea5-a9a3-6f694468408c", "name": "T1027.001" }, { "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e", "name": "T1185" }, { "id": "7e3e3784-9547-42ca-b888-482972d14be3", "name": "T1528" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e", "name": "T1567.002" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "3645c785-310f-40a0-8db8-cdb47f81389c", "name": "T1081" }, { "id": "3245033a-53c4-454c-873a-fb653af0bf8a", "name": "T1552" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "f4a450ef-8297-42e5-9e47-01162138baa2", "name": "T1115" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "malware": [ { "id": "cafe3417-bbcf-4b6c-aa87-c8ed210f357a", "name": "GuLoader - S0561", "slug": "guloader-s0561" }, { "id": "3e960285-cdf8-410a-a182-db021fb0b656", "name": "Lokibot - S0447", "slug": "lokibot-s0447" }, { "id": "c3b62cc6-7592-43ed-8a07-c26d3b2fb2d8", "name": "Quasar RAT", "slug": "quasar-rat" }, { "id": "fc2da99a-924e-4407-a4db-285db6512d86", "name": "Gremlin stealer", "slug": "gremlin-stealer" }, { "id": "23c1ea77-7be5-4568-a033-3ebf582884b0", "name": "Agent Tesla - S0331", "slug": "agent-tesla-s0331" } ], "observables": [ { "id": "425381f9-014b-45a9-b3fc-218f61a14337", "name": "194.87.92.109" }, { "id": "", "name": "971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759" }, { "id": "", "name": "f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346" }, { "id": "", "name": "9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614" }, { "id": "", "name": "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b" }, { "id": "", "name": "a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd" }, { "id": "", "name": "ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd" }, { "id": "", "name": "691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3" }, { "id": "", "name": "281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2" }, { "id": "", "name": "d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c" }, { "id": "", "name": "9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20" }, { "id": "", "name": "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5" } ] }, "external_refs": [ { "id": "980a7854-26b0-4194-8b99-77488d9dbe74", "standard_id": "external-reference--aa7291d9-5609-5e25-ab0c-2c47b2ac92c6", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/", "hash": null, "external_id": null, "created": "2026-05-15T19:14:26.713Z", "modified": "2026-05-15T19:14:26.713Z", "createdById": null }, { "id": "bd91a14c-4e13-46cc-b7da-4b14a0afd050", "standard_id": "external-reference--cab37e64-4c2b-5a9d-9e6e-1b7a63091960", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/05/02_Malware_Category_1920x900.jpg", "hash": null, "external_id": null, "created": "2026-05-15T19:14:26.748Z", "modified": "2026-05-15T19:14:26.748Z", "createdById": null }, { "id": "2b25cd62-29c6-4d61-86c5-6ca361e94199", "standard_id": "external-reference--eb60f631-9e36-55e1-8513-d4736ec6c869", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a073a73501adf1f890b1a5e", "hash": null, "external_id": "6a073a73501adf1f890b1a5e", "created": "2026-05-15T19:14:26.683Z", "modified": "2026-05-15T19:14:26.683Z", "createdById": null } ] }