Skip to main content
Emerging ThreatsMalware & Ransomware

Gremlin Stealer Evolves With Advanced Obfuscation Tactics

Dimly lit server room with rows of rack-mounted equipment and cables.

“At the time of discovery, VirusTotal showed zero detection for this new Gremlin site hxxp[:]194.87.92[.]109, its associated URLs or any retrieved artifacts.” That citation from Unit 42 frames a discovery of a stealer that has quietly changed how it hides its work: rather than shouting its intent in code, this Gremlin variant buries its payloads in .NET resource blobs and only reveals them at runtime.

XOR‑encoded .NET resource section and staged loading

The newest Gremlin stealer shifts its malicious payloads into the .NET Resource section, masking them with single‑byte XOR encoding so that signature and heuristic scanners see an opaque block instead of readable strings or API calls. Unit 42 analysts recovered plain‑text configuration by applying a single‑byte XOR decryption routine that revealed hard‑coded command‑and‑control URLs and exfiltration paths.

Rather than loading all functions at once, the sample implements a staged loading mechanism: critical functions are decrypted and mapped into memory from the resource section only when needed. That design forces analysts toward dynamic debugging to observe meaningful program behavior, because static inspection yields little usable context.

The decoder ring: _003CModule_003E.c(int, int, int)

String obfuscation is driven by a single decoder method named _003CModule_003E.c(int, int, int). According to the analysis, the method:

  • accepts three integers as input;
  • calculates an offset and a length from those integers;
  • opens an embedded resource file (named "resource" in the .csproj file);
  • seeks the calculated offset, reads the specified number of encrypted bytes, and uses the third integer as a key to decrypt them;
  • returns the final, readable string at runtime.

Unit 42 gives a concrete example: one obfuscated call, global::_003CModule_003E.c(18829, 2178, 23), resolves at runtime to the URL string "http://api.ipify.org/?format=json". The net effect: readable indicators such as Telegram endpoints, wallet filenames or API hosts do not appear in the binary until the decoder runs.

Instruction virtualization, commercial packer, and obfuscation tactics

One analyzed sample (SHA256 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b) was packed using a commercial utility that applies instruction virtualization. That process transforms original code into a custom, non‑standard bytecode executed by a private virtual machine—another layer designed to frustrate decompilers and automatic analysis.

Obfuscation extends to symbol and name mangling: classes, methods and variables are renamed to meaningless short identifiers (for example, a class named hf with methods a, b, c), and the decompiler output is deliberately cluttered with convoluted control flow—goto labels, switch statements and no‑op arithmetic—so that the apparent complexity masks a relatively straightforward runtime sequence.

Targets, capabilities, and monetization

Unit 42 documents Gremlin’s expanded target set and active fraud capabilities. The stealer siphons data from Chromium‑based browsers and other local stores, collecting payment card details, browser cookies, session tokens, cryptocurrency wallet data, FTP and VPN credentials, and system clipboard contents. Harvested artifacts are bundled into a ZIP archive named with the victim’s public IP address and uploaded to an attacker‑controlled host.

New modules observed include:

  • a dedicated Discord token extraction module that scans multiple paths and uses regex validation;
  • a clipboard hijacker (crypto clipper) that continuously monitors the clipboard for cryptocurrency wallet patterns and replaces a detected address with the attacker’s wallet in real time;
  • a WebSocket‑based session hijacking module that requests session data directly from running browser processes, enabling live session interception that bypasses protections aimed at static cookie files.

C2, indicators, and response contacts

Unit 42 identified a newly deployed exfiltration site at hxxp[:]194.87.92[.]109 and a related path hxxp[:]194.87.92[.]109/i.php. At discovery these endpoints and any retrieved artifacts had no VirusTotal detections, block list entries, community reports or malicious categorizations.

The report publishes a list of sample hashes for analysts to reference. The SHA256 list includes (selection):

  • 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b
  • 9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614
  • 971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759
  • ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd
  • ...and others listed in the report.

For urgent incidents, Unit 42 invites contact via its Incident Response team and provides regional phone numbers, including North America toll free +1 (866) 486-4842 (866.4.UNIT42), plus UK, Europe, Asia, Japan, Australia and India contacts listed in the report.

What this means for Palo Alto Networks customers, Unit 42 Incident Response, and end users

  • Palo Alto Networks customers: the report states that Network Security solutions and the Cortex line—including Cortex XDR and XSIAM, Advanced WildFire, Advanced Threat Prevention, Advanced URL Filtering and Advanced DNS Security—have protections and updated models aimed at these IoCs and techniques. Cortex XDR 3.4 is cited as the release that provides Credential Gathering Protection.
  • Unit 42 Incident Response: the team positions itself as the contact point for suspected compromises and urgent matters tied to these samples and endpoints.
  • End users: the sample behavior described—clipboard replacement, browser token stealing and ZIP exfiltration named by public IP—highlights the concrete mechanisms by which credentials and crypto funds can be diverted from infected hosts.

Gremlin’s latest iteration shows a purposeful migration from simple credential harvesting toward a modular toolkit that hides its intentions behind resource blobs, runtime decoding, virtualized instruction streams and deliberate control‑flow noise. Those techniques extend the labor required for static analysis and raise the bar for detection until defensive signatures, behavioral models and incident responders catch up.

https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/