A new version of the Gremlin stealer has evolved from a basic credential harvester into a modular toolkit, according to researchers at Palo Alto Networks’ Unit 42. The threat, which first emerged in April 2025, has rapidly evolved over 12 months with new obfuscation techniques and anti-analysis safeguards into recent builds.
It siphons sensitive information from compromised systems and exfiltrates it to attacker‑controlled servers for potential publication or sale, targeting web browsers, system clipboard and local storage. The latest variant exfiltrates data to a newly deployed data publication site and, according to Unit 42’s analysis, VirusTotal showed zero detection of the site or its artifacts at discovery.
Key enhancements include a dedicated module to extract Discord tokens, crypto clipper functionality to swap cryptocurrency wallet addresses in real time, and a WebSocket‑based session hijacking capability that allows attackers to access authenticated accounts directly from the running process, bypassing modern cookie protections.
The updated version also shifts the payload into the .NET Resource section and uses XOR encoding to evade signature‑based detection and heuristic scanning, while still maintaining core exfiltration methods via private web panels or the Telegram Bot API.