{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/advanced-threat-prevention/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Advanced WildFire","Advanced Threat Prevention","Advanced URL Filtering","Advanced DNS Security","Cortex XDR","Cortex XSIAM"],"_cs_severities":["high"],"_cs_tags":["infostealer","credential-theft","session-hijacking","crypto-clipping","dotnet"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eThe Gremlin stealer malware has undergone significant evolution, incorporating advanced obfuscation and anti-analysis techniques. The latest variant conceals malicious payloads within embedded resources, employing XOR encoding and a complex commercial packing utility to evade detection. This version targets web browsers, system clipboards, and local storage to exfiltrate sensitive information such as payment card details, browser cookies, session tokens, cryptocurrency wallet data, FTP, and VPN credentials. A notable feature is the WebSocket-based session hijacking module that allows the malware to bypass modern cookie protections by directly requesting data from the running browser process. The malware also includes a crypto clipper functionality, which monitors the system clipboard for cryptocurrency wallet patterns and replaces the victim\u0026rsquo;s address with the attacker’s wallet in real time.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker deploys a Gremlin stealer variant packed with a commercial packing utility.\u003c/li\u003e\n\u003cli\u003eThe malware loads the main payload from a .NET resource section, which is XOR encoded to evade signature-based detection.\u003c/li\u003e\n\u003cli\u003eThe malware decrypts strings at runtime using a custom decoder ring function \u003ccode\u003e_003CModule_003E.c(int, int, int)\u003c/code\u003e which reads encrypted strings from an embedded resource file.\u003c/li\u003e\n\u003cli\u003eThe stealer targets web browsers to steal payment card details, browser cookies, and session tokens using a class, BrowserCredentialStealer.\u003c/li\u003e\n\u003cli\u003eIt monitors the system clipboard for cryptocurrency wallet addresses and replaces the victim\u0026rsquo;s address with the attacker\u0026rsquo;s address in real time.\u003c/li\u003e\n\u003cli\u003eThe malware uses a WebSocket-based session hijacking module to steal session data from running browser processes.\u003c/li\u003e\n\u003cli\u003eThe stealer exfiltrates the stolen data, bundled into a ZIP archive named using the victim\u0026rsquo;s public IP address, to the C2 server at hxxp[:]194.87.92[.]109/i.php.\u003c/li\u003e\n\u003cli\u003eThe C2 server receives and stores the stolen data, potentially for sale or publication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Gremlin stealer infections can lead to significant financial losses due to the theft of payment card details and cryptocurrency wallet data. Stolen session tokens and credentials can provide attackers with unauthorized access to sensitive accounts, potentially leading to further compromise and data breaches. The exfiltration of FTP and VPN credentials can allow attackers to pivot to other systems within the victim\u0026rsquo;s network. This malware represents a significant threat to individuals and organizations alike, potentially impacting thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the C2 IP address \u003ccode\u003e194.87.92[.]109\u003c/code\u003e at the firewall or DNS resolver to prevent data exfiltration.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions capable of detecting and blocking the execution of packed .NET executables similar to the one with SHA256 hash \u003ccode\u003e2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Gremlin Stealer String Decoding Routine\u0026rdquo; to identify the malware\u0026rsquo;s string decryption function.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to improve visibility into process execution and identify suspicious parent-child process relationships associated with the stealer.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T10:02:31Z","date_published":"2026-05-15T10:02:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-gremlin-stealer-evolution/","summary":"The Gremlin stealer malware has evolved with advanced obfuscation techniques, crypto clipping, and session hijacking capabilities to steal sensitive information from compromised systems.","title":"Gremlin Stealer Evolves with Advanced Obfuscation and Session Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-05-gremlin-stealer-evolution/"}],"language":"en","title":"CraftedSignal Threat Feed — Advanced Threat Prevention","version":"https://jsonfeed.org/version/1.1"}