Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
ID: e8c4d697-2d6a-5833-87c6-1eb63c546847
STIX ID: report--e8c4d697-2d6a-5833-87c6-1eb63c546847
Feed Name: Palo Alto Networks Unit 42
Date Published: 2026-05-15
Date Updated: 2026-06-04
Author: Pranay Kumar Chhaparwal and Mark Lim
This report analyzes a new Gremlin stealer variant that hides payloads in .NET resources using XOR and sophisticated commercial packing, employs identifier renaming, string encryption and control-flow obfuscation, and includes modules for browser cookie/session/token theft, Discord token extraction, a clipboard crypto-clipper, and WebSocket-based session hijacking; the report also provides multiple SHA256 sample hashes and a C2/exfiltration URL and recommends mitigations via Palo Alto Networks products.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
