From April 2025 credential harvester to a modular toolkit
Gremlin first appeared in April 2025 as a relatively simple infostealer. Unit 42's analysis shows that, in roughly 12 months, the malware has been refactored into a modular toolkit with a pronounced emphasis on stealth and evasion. The fundamental purpose remains: siphoning sensitive information from compromised systems and sending it to attacker‑controlled servers for potential publication or sale. But the mechanics have become markedly more sophisticated.
New obfuscation and anti‑analysis techniques: .NET resources and XOR masking
Unit 42 identified a clear shift in how the malicious payload is delivered and hidden. Recent builds move the payload into the .NET Resource section and mask it with XOR encoding. According to the researchers, those changes are specifically intended to bypass signature‑based detection and heuristic scanning and to evade static analysis tools. The updated builds therefore aim to frustrate common detection pipelines used by defenders and automated scanners.
Exfiltration unchanged but a new publication destination
Despite the internal changes, Gremlin's core architecture and exfiltration methods remain consistent with earlier versions. The malware continues to send harvested data to attacker‑controlled destinations using private web panels or the Telegram Bot API. Unit 42 also observed a newly deployed data publication site at hxxp[:]194.87.92[.]109. Troublingly, when researchers discovered that site, VirusTotal showed zero detections for the site, its associated URLs, or any retrieved artifacts — no block list entries, community reports, or malicious categorizations.
After exfiltration, Gremlin bundles harvested artifacts into a ZIP archive — naming the file using the victim’s public IP address — and uploads it to the attacker‑controlled site. The archive routinely includes browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, and FTP and VPN credentials.
New modules: Discord tokens, crypto clipping, and WebSocket session hijacking
Unit 42's technical findings list specific new capabilities. The updated Gremlin includes a dedicated module to extract Discord tokens, which can be leveraged to impersonate or target digital identities through social engineering. The malware also added "crypto clipper" functionality: it monitors the system clipboard for cryptocurrency wallet addresses and swaps them with attacker‑controlled addresses, enabling real‑time redirection of funds without the user's knowledge.
Further, the variant introduces a WebSocket‑based session hijacking capability. By operating directly from the running browser process, that functionality can hijack active browser sessions while bypassing modern cookie protections, giving attackers immediate access to authenticated accounts. Collectively, these modules demonstrate a move from passive collection toward active manipulation and account takeover.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Unit 42's description of payloads hidden in .NET resources and XOR masking signals the need to update detection strategies beyond simple signature matching and routine heuristic scans. Teams should be aware that exfiltration destinations may not appear on common threat‑intelligence portals at first; the discovery of hxxp[:]194.87.92[.]109 with zero VirusTotal hits underscores that lag.
- Enterprises and procurement leaders: Because Gremlin targets Chromium‑based browsers and harvests session tokens and cookies, organizations should review browser security controls, token lifetimes, and session management policies. The practice of bundling credentials and session artifacts into ZIPs labeled by public IP may aid incident investigators in correlating breaches to specific network endpoints.
- End users: The addition of a crypto clipper and clipboard monitoring means users handling cryptocurrency addresses should beware of undetected clipboard swaps. Extraction of clipboard contents, browser cookies, and session tokens creates multiple avenues for fraud and account takeover even when passwords are not directly captured.
Gremlin’s evolution illustrates a familiar but consequential pattern: functional modularization combined with incremental evasion. The malware keeps the same exfiltration plumbing while broadening what it steals and how it hides. The discovery that a newly used publication site registered no initial detections on VirusTotal highlights a capability gap between attacker agility and detection coverage.
Unit 42’s findings document a clear technical trajectory — more stealth, more modules, and more direct financial targeting — leaving defenders to close the detection and response gaps that modular stealers exploit.




