Gremlin Stealer Evolves into Modular Threat

Gremlin Stealer Evolves into Modular Threat

https://www.infosecurity-magazine.com/news/gremlin-stealer-evolves-into/

Publish Date: 2026-05-15 09:20:43

Source Domain: www.infosecurity-magazine.com

Summary:
Researchers at Palo Alto Networks’ Unit 42 have unveiled the evolution of the Gremlin stealer malware from an uncomplicated credential harvester into a more sophisticated, modular toolkit. Since its initial emergence in April 2025, Gremlin has rapidly transformed with advanced obfuscation techniques and anti-analysis measures to escape static analysis tools. The malware continues to target web browsers, system clipboard, and local storage to siphon sensitive information, which it then exfiltrates to newly discovered attacker-controlled servers—as indicated by VirusTotal showing zero detection at the time of the analysis. Beyond these, the newest version enhances its capabilities by adding modules for extracting Discord tokens and monitoring clipboard activity for cryptocurrency wallets, aiming to reroute transactions. Additionally, it now offers WebSocket-based session hijacking, providing direct access to authenticated accounts. These enhancements signify Gremlin’s transition into a more complex and dangerous threat capable of affecting Chromium-based browsers.

Key Points:

• The Gremlin stealer has evolved into a more advanced modular toolkit, with new obfuscation and anti-analysis techniques.
• Targets include web browsers, system clipboard contents, local storage information, and now, cryptocurrency wallet data.
• It has developed a new data exfiltration site with zero initial detection on VirusTotal at the time of analysis.
• Recent enhancements include dedicated modules – The generated text has been blocked by our content filters.