GREMLIN Stealer’s evolution is examined as the malware moves to hide payloads inside embedded resources, with the latest variant prioritising stealth to evade static analysis. According to Unit 42, the malicious payload is now stored in the .NET Resource section and is XOR-encoded, requiring a single-byte decryption routine to reveal the plain-text configuration and hard-coded C2 URLs and exfiltration paths.
The article notes a staged loading mechanism where each critical function is decrypted and mapped into memory from the resource section only when needed, forcing dynamic analysis for meaningful observation. New features include a dedicated Discord token extraction module, a crypto clipper that monitors the clipboard and replaces cryptocurrency wallet addresses in real time, and a WebSocket-based session hijacking module to exfiltrate data directly from running browsers.
A packed variant with SHA256 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b is described, alongside anti-analysis techniques such as identifier renaming and string obfuscation, while VirusTotal showed zero detection for the new site used for data publishing at hxxp[:]\194.87.92[.]109.