Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections

A newly analyzed variant of the Gremlin stealer malware has raised alarms by hiding its command-and-control (C2) addresses and data exfiltration paths inside encrypted resource sections of a compiled program.

This approach makes the malware harder to detect through traditional scanning, allowing it to operate silently on infected systems before stealing sensitive data.

Gremlin stealer first appeared on underground forums, sold as a ready-to-use credential theft tool. It targets web browsers, clipboard contents, and local storage to pull out payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP and VPN credentials.

Once it gathers this data, the malware bundles everything into a ZIP archive named after the victim’s public IP address and quietly uploads it to an attacker-controlled web panel for download or resale.

Analysts at Unit 42, the threat intelligence division of Palo Alto Networks, said in a report shared with Cyber Security News (CSN) that they identified a new Gremlin variant pushing stolen data to a freshly deployed server at hxxp[:]194.87.92[.]109.

At the time of discovery, no security vendor on VirusTotal had flagged the site as malicious, meaning the infrastructure was running completely under the radar.

What makes this variant particularly concerning is how quickly it has evolved. Legacy Gremlin samples had no obfuscation at all, with function names and class labels left exposed in plain sight.

The latest builds show a sharp turn toward stealth, layering multiple anti-analysis tricks to frustrate both automated tools and human researchers.

The malware has also broadened what it targets. Beyond browser credentials and crypto wallets, it now includes a dedicated module to steal Discord tokens, giving attackers access to the victim’s online accounts.

A clipboard hijacker has also been added, silently swapping any cryptocurrency wallet address a victim copies with one controlled by the attacker, diverting funds in real time.

The most significant technical change is where the malware stores its core configuration. Rather than embedding C2 URLs as readable strings, the authors have moved that data into the .NET resource section, scrambled with XOR encoding.

The resource block appears as a meaningless wall of raw data to any static analysis tool.

This technique mirrors tactics used by malware families like Agent Tesla, GuLoader, LokiBot, and Quasar RAT, which rely on the resource section to bury their payloads.

The current variant also uses a staged loading approach, meaning each function is only decrypted and placed into memory when needed.

This forces analysts to use live debugging tools to observe the malware’s actual behavior, since nothing meaningful shows up in a static review.

Deep Code Obfuscation Blocks Reverse Engineering

Beyond hiding C2 data in resources, this variant uses three distinct obfuscation layers to slow down analysis.

The first is identifier renaming, where every class, method, and variable has been swapped with a meaningless short label like a, b, hf, or bb, removing any context that would help a researcher understand what a function does.

The second layer is string encryption. Rather than writing readable words like “password” or server addresses directly in the code, the malware stores all strings encrypted and decodes them at runtime using an internal function.

Analysts searching for keywords like “Telegram” or “wallet.dat” will find nothing.

Even though the actual logic is often a simple sequence of steps, the surrounding noise makes the code appear extraordinarily complex.

Organizations are strongly advised to rely on behavioral detection tools rather than signature-based scanning alone, as this malware is specifically engineered to defeat static analysis.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP / URL	hxxp[:]194.87.92[.]109/i.php	Gremlin stealer C2 exfiltration server
SHA256	2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b	Packed Gremlin stealer sample (217.exe)
SHA256	9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614	Gremlin stealer sample
SHA256	971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759	Gremlin stealer sample
SHA256	ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd	Gremlin stealer sample
SHA256	f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346	Gremlin stealer sample
SHA256	a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd	Gremlin stealer sample
SHA256	691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3	Gremlin stealer sample
SHA256	281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2	Gremlin stealer sample
SHA256	9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20	Gremlin stealer sample
SHA256	d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c	Gremlin stealer sample
SHA256	1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5	Gremlin steal

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.