Unit 42 researchers analyze the evolution of Gremlin Stealer, a .NET-based information stealer that has significantly upgraded its anti-analysis capabilities. The latest variant hides its payload in the .NET resource section using XOR encoding, employs identifier renaming, string encryption via a custom decoder function, and control-flow obfuscation. New capabilities include a Discord token extractor, a crypto clipper that replaces clipboard wallet addresses in real time, and a WebSocket-based session hijacking module that bypasses modern cookie protections. A separate sample was found packed with a commercial packing utility using instruction virtualization and a private virtual machine. IoCs including SHA256 hashes and C2 URLs are provided.
Table of contents
Executive SummaryNew Gremlin Site for Publishing DataTechnical AnalysisConclusionIndicators of CompromiseAdditional ResourcesSort: