News and Analysis

A newly analyzed variant of the Gremlin stealer malware has raised alarms by hiding its command-and-control (C2) addresses and data exfiltration paths inside encrypted resource sections of a compiled program.

This approach makes the malware harder to detect through traditional scanning, allowing it to operate silently on infected systems before stealing sensitive data.

Gremlin stealer first appeared on underground forums, sold as a ready-to-use credential theft tool. It targets web browsers, clipboard contents, and local storage to pull out payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP and VPN credentials.

Once it gathers this data, the malware bundles everything into a ZIP archive named after the victim’s public IP address and quietly uploads it to an attacker-controlled web panel for download or resale.

Analysts at Unit 42, the threat intelligence division of Palo Alto Networks, said in a report shared with Cyber Security News (CSN) that they identified a new Gremlin variant pushing stolen data to a freshly deployed server at hxxp[:]194.87.92[.]109.

At the time of discovery, no security vendor on VirusTotal had flagged the site as malicious, meaning the infrastructure was running completely under the radar.

What makes this variant particularly concerning is how quickly it has evolved. Legacy Gremlin samples had no obfuscation at all, with function names and class labels left exposed in plain sight.

The latest builds show a sharp turn toward stealth, layering multiple anti-analysis tricks to frustrate both automated tools and human researchers.

The malware has also broadened what it targets. Beyond browser credentials and crypto wallets, it now includes a dedicated module to steal Discord tokens, giving attackers access to the victim’s online accounts.

A clipboard hijacker has also been added, silently swapping any cryptocurrency wallet address a victim copies with one controlled by the attacker, diverting funds in real time.

Gremlin Stealer Stores C2 URLs and Exfiltration Paths

The most significant technical change is where the malware stores its core configuration. Rather than embedding C2 URLs as readable strings, the authors have moved that data into the .NET resource section, scrambled with XOR encoding.

Resource section (Source – Unit42)

The resource block appears as a meaningless wall of raw data to any static analysis tool. When researchers applied a single-byte XOR decryption routine, they recovered the plaintext configuration including hard-coded server addresses and upload paths.

XOR decryption on resource section (Source – Unit42)

This technique mirrors tactics used by malware families like Agent Tesla, GuLoader, LokiBot, and Quasar RAT, which rely on the resource section to bury their payloads.

The current variant also uses a staged loading approach, meaning each function is only decrypted and placed into memory when needed.

This forces analysts to use live debugging tools to observe the malware’s actual behavior, since nothing meaningful shows up in a static review.

Deep Code Obfuscation Blocks Reverse Engineering

Beyond hiding C2 data in resources, this variant uses three distinct obfuscation layers to slow down analysis.

The first is identifier renaming, where every class, method, and variable has been swapped with a meaningless short label like a, b, hf, or bb, removing any context that would help a researcher understand what a function does.

The second layer is string encryption. Rather than writing readable words like “password” or server addresses directly in the code, the malware stores all strings encrypted and decodes them at runtime using an internal function.

Packed Gremlin variant (Source – Unit42)

Analysts searching for keywords like “Telegram” or “wallet.dat” will find nothing. The third layer is control-flow obfuscation, which floods the decompiled output with fake branches, pointless loops, and goto jumps that lead nowhere meaningful.

Even though the actual logic is often a simple sequence of steps, the surrounding noise makes the code appear extraordinarily complex.

Organizations are strongly advised to rely on behavioral detection tools rather than signature-based scanning alone, as this malware is specifically engineered to defeat static analysis.

Indicators of Compromise (IoCs):-

TypeIndicatorDescriptionIP / URLhxxp[:]194.87.92[.]109/i.phpGremlin stealer C2 exfiltration serverSHA2562172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9bPacked Gremlin stealer sample (217.exe)SHA2569aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614Gremlin stealer sampleSHA256971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759Gremlin stealer sampleSHA256ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cdGremlin stealer sampleSHA256f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346Gremlin stealer sampleSHA256a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abdGremlin stealer sampleSHA256691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3Gremlin stealer sampleSHA256281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2Gremlin stealer sampleSHA2569fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20Gremlin stealer sampleSHA256d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02cGremlin stealer sampleSHA2561bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5Gremlin steal

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections appeared first on Cyber Security News.