Gremlin infostealer evolves into modular stealer with anti-analysis and session hijacking capabilities
Summary
Hide ▲
Show ▼
A previously identified infostealer, Gremlin, has evolved into a modular threat actor toolkit with advanced evasion and session hijacking features. The malware now exfiltrates sensitive data including browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, FTP and VPN credentials to a newly deployed server at 194.87.92.109. Key enhancements include anti-static analysis obfuscation via .NET Resource embedding and XOR encoding, Discord token extraction for social engineering, clipboard manipulation for cryptocurrency redirection, and WebSocket-based active session hijacking to bypass cookie protections.
Timeline
-
15.05.2026 17:19 1 articles · 0h ago
Gremlin infostealer evolves into modular toolkit with advanced evasion and session hijacking
A new variant of the Gremlin infostealer has been identified with modular architecture, enhanced obfuscation, and new attack capabilities. The malware now exfiltrates data to 194.87.92.109 and includes modules for extracting Discord tokens, performing cryptocurrency clipboard hijacking, and hijacking active browser sessions via WebSocket connections to bypass authentication protections.
Show sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
Information Snippets
-
Gremlin infostealer originated in April 2025 as a credential harvesting tool.
First reported: 15.05.2026 17:191 source, 1 articleShow sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
-
Latest variant uses .NET Resource section and XOR encoding to bypass signature-based and heuristic detection.
First reported: 15.05.2026 17:191 source, 1 articleShow sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
-
New exfiltration endpoint is 194.87.92.109 with zero VirusTotal detections at discovery.
First reported: 15.05.2026 17:191 source, 1 articleShow sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
-
Malware bundles harvested data into ZIP archives named after the victim’s public IP address before uploading to attacker-controlled infrastructure.
First reported: 15.05.2026 17:191 source, 1 articleShow sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
-
New modules include Discord token extraction, cryptocurrency clipboard clipping, and WebSocket-based session hijacking.
First reported: 15.05.2026 17:191 source, 1 articleShow sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
-
Targets Chromium-based browsers and system clipboard, local storage, and wallet data.
First reported: 15.05.2026 17:191 source, 1 articleShow sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19