Gremlin Stealer Evolves into Modular Threat with Advanced Evasion Capabilities

Gremlin stealer has rapidly evolved into a modular infostealer targeting Chromium-based browsers, system clipboard and local storage. New builds use XOR-encoded payloads placed in the .NET resource section to evade detection, and add modules for Discord token theft, a crypto-clipper that replaces clipboard wallet addresses, and WebSocket-based session hijacking. Stolen artifacts (cookies, session tokens, clipboard contents, crypto wallet data, FTP/VPN credentials) are bundled into ZIPs named with victims' public IPs and exfiltrated to an attacker-controlled site (http://194.87.92.109); Unit 42 observed the site and artifacts initially had no VirusTotal detections.