Find notable cyber news and cases, enriched with sources, timelines, and signals.

Gremlin stealer modular toolkit evolution

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The Gremlin stealer malware has expanded into a modular toolkit with session-hijacking and crypto clipping capabilities, raising the risk of credential theft and account takeover on compromised systems. The latest build adds stronger evasion and anti-analysis features that make detection harder. It targets Chromium-based browsers, clipboard data, local storage, and other sensitive artifacts, including FTP and VPN credentials. A newly deployed publication site also increases the chance that stolen data will be exfiltrated and reused.

Related Happenings

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Rust-based clipboard hijacker that swaps wallet addresses

Malware Activity
H score10 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

OnyxC2 stealer remote-access and credential-theft activity

Malware Activity
H score23 First: 11.06.2026 16:00 Last: 11.06.2026 16:00 Sources 1

About this happening: The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...

Browser-layer visibility guidance for browser-native threats

Defensive Guidance
H score22 First: 05.06.2026 17:00 Last: 05.06.2026 17:00 Sources 1

About this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...

Timeline

  1. 15.05.2026 17:19 2 articles · 1mo ago

    Gremlin stealer evolves into a modular toolkit with evasion features

    Technical Analysis Update

    Gremlin stealer has evolved from a basic credential harvester into a modular malware toolkit with stronger evasion and anti-analysis safeguards, including payload hiding in the .NET Resource section, XOR encoding to bypass signature-based detection and heuristic scanning, a dedicated module for Discord token theft, crypto clipper behavior that swaps clipboard wallet addresses, and WebSocket-based session hijacking for authenticated browser accounts. The malware continues to exfiltrate browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, FTP and VPN credentials, and other sensitive information to attacker-controlled infrastructure including hxxp[:]194.87.92[.]109.

    Show sources