Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
Summary
Hide ▲
Show ▼
The latest Gremlin stealer build adds .NET Resource payload hiding and XOR encoding to evade static analysis, making detection and triage harder. The malware also expands beyond credential theft with Discord token theft, crypto clipper activity, and WebSocket-based session hijacking. A newly deployed publication site at hxxp[:]194.87.92[.]109 was identified with zero VirusTotal detection when discovered.
Related Happenings
Secret Blizzard Kazuar modular P2P botnet
Malware Activity
First: 16.05.2026 17:15
Last: 16.05.2026 17:15
Sources 1
About this happening:
**Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Secret Blizzard Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
How related:
A new version of the Gremlin stealer has evolved from a basic credential harvester into a modular toolkit, according to researchers at Palo Alto Networks’ Unit 42.
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityHow related: A new version of the Gremlin stealer has evolved from a basic credential harvester into a modular toolkit, according to researchers at Palo Alto Networks’ Unit 42.
About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Fast16 analysis reveals a sabotage worm that corrupts high-precision computations
Technical Analysis
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
About this happening:
Researchers identified **fast16**, a previously undocumented malware framework that can silently corrupt **high-precision computations**, exposing a sabotage method that can under...
Fast16 analysis reveals a sabotage worm that corrupts high-precision computations
Technical AnalysisAbout this happening: Researchers identified **fast16**, a previously undocumented malware framework that can silently corrupt **high-precision computations**, exposing a sabotage method that can under...
Storm infostealer server-side decryption activity
Malware Activity
First: 02.04.2026 17:15
Last: 02.04.2026 17:15
Sources 1
About this happening:
The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Storm infostealer server-side decryption activity
Malware ActivityAbout this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Timeline
-
15.05.2026 17:19 2 articles · 12d ago
Gremlin stealer gains .NET Resource hiding and XOR encoding
Technical Analysis UpdateResearchers describe a latest Gremlin stealer build that has evolved from a basic credential harvester into a modular toolkit targeting Chromium-based browsers, with the malicious payload moved into the .NET Resource section and masked with XOR encoding to bypass signature-based detection and heuristic scanning. The same analysis says the variant now adds Discord token extraction, crypto clipper behavior, WebSocket-based session hijacking, ZIP bundling of stolen browser, clipboard, wallet, FTP, and VPN data, and exfiltration to hxxp[:]194.87.92[.]109, which showed zero VirusTotal detection when discovered.
Show sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19