Gremlin stealer modular toolkit evolution
Malware Activity
Summary
Hide ▲
Show ▼
The Gremlin stealer malware has expanded into a modular toolkit with session-hijacking and crypto clipping capabilities, raising the risk of credential theft and account takeover on compromised systems. The latest build adds stronger evasion and anti-analysis features that make detection harder. It targets Chromium-based browsers, clipboard data, local storage, and other sensitive artifacts, including FTP and VPN credentials. A newly deployed publication site also increases the chance that stolen data will be exfiltrated and reused.
Related Happenings
Secret Blizzard Kazuar modular P2P botnet
Malware Activity
First: 16.05.2026 17:15
Last: 16.05.2026 17:15
Sources 1
About this happening:
**Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Secret Blizzard Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
How related:
This includes the malware authors shifting the malicious payload into the .NET Resource section, masking it with XOR encoding to bypass signature-based detection and heuristic scanning.
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisHow related: This includes the malware authors shifting the malicious payload into the .NET Resource section, masking it with XOR encoding to bypass signature-based detection and heuristic scanning.
About this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
Filemanager backdoor delivered on compromised cPanel environments
Malware Activity
First: 11.05.2026 20:54
Last: 11.05.2026 20:54
Sources 1
About this happening:
The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
Filemanager backdoor delivered on compromised cPanel environments
Malware ActivityAbout this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware Activity
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware ActivityAbout this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Timeline
-
15.05.2026 17:19 2 articles · 12d ago
Gremlin stealer evolves into a modular toolkit with evasion features
Technical Analysis UpdateGremlin stealer has evolved from a basic credential harvester into a modular malware toolkit with stronger evasion and anti-analysis safeguards, including payload hiding in the .NET Resource section, XOR encoding to bypass signature-based detection and heuristic scanning, a dedicated module for Discord token theft, crypto clipper behavior that swaps clipboard wallet addresses, and WebSocket-based session hijacking for authenticated browser accounts. The malware continues to exfiltrate browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, FTP and VPN credentials, and other sensitive information to attacker-controlled infrastructure including hxxp[:]194.87.92[.]109.
Show sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19