logo

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

ID: e8c4d697-2d6a-5833-87c6-1eb63c546847

STIX ID: report--e8c4d697-2d6a-5833-87c6-1eb63c546847

Feed Name: Palo Alto Networks Unit 42

Threat Score
70/100

Date Published: 2026-05-15

Date Updated: 2026-06-04

Author: Pranay Kumar Chhaparwal and Mark Lim

...
...

This report analyzes a new Gremlin stealer variant that hides payloads in .NET resources using XOR and sophisticated commercial packing, employs identifier renaming, string encryption and control-flow obfuscation, and includes modules for browser cookie/session/token theft, Discord token extraction, a clipboard crypto-clipper, and WebSocket-based session hijacking; the report also provides multiple SHA256 sample hashes and a C2/exfiltration URL and recommends mitigations via Palo Alto Networks products.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.