Gremlin stealer modular toolkit evolution
Malware Activity
Summary
Hide ▲
Show ▼
The Gremlin stealer malware has expanded into a modular toolkit with session-hijacking and crypto clipping capabilities, raising the risk of credential theft and account takeover on compromised systems. The latest build adds stronger evasion and anti-analysis features that make detection harder. It targets Chromium-based browsers, clipboard data, local storage, and other sensitive artifacts, including FTP and VPN credentials. A newly deployed publication site also increases the chance that stolen data will be exfiltrated and reused.
Related Happenings
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker that swaps wallet addresses
Malware Activity
H score10
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Rust-based clipboard hijacker that swaps wallet addresses
Malware ActivityAbout this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
OnyxC2 stealer remote-access and credential-theft activity
Malware Activity
H score23
First: 11.06.2026 16:00
Last: 11.06.2026 16:00
Sources 1
About this happening:
The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...
OnyxC2 stealer remote-access and credential-theft activity
Malware ActivityAbout this happening: The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...
Browser-layer visibility guidance for browser-native threats
Defensive Guidance
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Browser-layer visibility guidance for browser-native threats
Defensive GuidanceAbout this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Timeline
-
15.05.2026 17:19 2 articles · 1mo ago
Gremlin stealer evolves into a modular toolkit with evasion features
Technical Analysis UpdateGremlin stealer has evolved from a basic credential harvester into a modular malware toolkit with stronger evasion and anti-analysis safeguards, including payload hiding in the .NET Resource section, XOR encoding to bypass signature-based detection and heuristic scanning, a dedicated module for Discord token theft, crypto clipper behavior that swaps clipboard wallet addresses, and WebSocket-based session hijacking for authenticated browser accounts. The malware continues to exfiltrate browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, FTP and VPN credentials, and other sensitive information to attacker-controlled infrastructure including hxxp[:]194.87.92[.]109.
Show sources
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19
- Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities — www.infosecurity-magazine.com — 15.05.2026 17:19