By rssfeeds-admin 
Originally known as a basic credential harvester, this threat has rapidly transformed into a modular toolkit designed for active financial fraud and persistent identity theft.
Gremlin stealer now uses the resource section to mirror the evasion tactics of high-profile malware families like Agent Tesla and GuLoader.
By shifting its malicious code into obscure resource blocks and masking it with a single-byte XOR decryption routine, the malware successfully bypasses signature-based detection and heuristic scanning.
At the time of discovery, this server showed zero detections on scanning platforms like VirusTotal, with no block list entries or community reports.
Once a system is compromised, the malware bundles harvested artifacts into a ZIP archive named after the victim’s public IP address. It aggressively targets sensitive information, including:
- Payment card details and browser cookies.
- Active session tokens.
- System clipboard contents.
- Cryptocurrency wallet data.
- FTP and VPN credentials.
Gremlin Conceals Malware Payloads
Comparing legacy samples to the current iteration reveals a clear evolution in anti-analysis techniques.
Older versions lacked obfuscation, leaving internal symbols intact and easy to reverse-engineer.
The new Gremlin stealer implements a staged-loading mechanism that decrypts and maps critical functions into memory only when needed.
To further frustrate security researchers, the malware is packed using a complex commercial utility that relies on three primary evasion techniques.
First, it uses identifier renaming to replace meaningful names for classes and variables with random letters, stripping away all context from the code.
Second, the malware relies on string encryption to hide readable text, such as URLs, using an embedded decoder function that reveals the true strings only at runtime.
Finally, it uses control-flow obfuscation to create a maze of useless logic, filling the execution path with nonsensical jump commands that simply waste an analyst’s time.
buaq said in a report shared with CyberPress, Gremlin stealer has significantly expanded its attack scope to target digital identities.
It now features a dedicated Discord token extraction module that scans multiple system paths to compromise modern communication platforms.
The threat has also shifted from passive data theft to active financial interference through the deployment of a crypto clipper.
This module continuously monitors the victim’s clipboard for patterns associated with cryptocurrency wallets.
It replaces them in real time with an attacker-controlled address, successfully diverting funds during live transactions. Additionally, the malware includes a WebSocket-based session-hijacking module that intercepts live browser sessions to bypass modern cookie protections.
Indicators of Compromise
| Indicator Type | Value |
|---|---|
| URL | hxxp[:]194.87.92[.]109 |
| SHA256 Hash | 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b |
| SHA256 Hash | 9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614 |
| SHA256 Hash | 971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Gremlin Stealer Abuses .NET Resource Files To Conceal Malware Payloads appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.