Gremlin Stealer Reemerges With Stealthy Obfuscation and Crypto-Clip Capabilities

Gremlin Stealer Reemerges With Stealthy Obfuscation and Crypto-Clip Capabilities

Unit 42 researchers have uncovered a new variant of the Gremlin infostealer that leverages advanced obfuscation, cryptocurrency address clipping, and session hijacking techniques. This variant hides malicious payloads inside legitimate-looking resource files to evade traditional detection.

“The Gremlin stealer has evolved significantly,” said a senior threat analyst at Unit 42. “By embedding its code in resource files and using multi-layered obfuscation, it now operates almost invisibly on compromised systems.”

Background

Gremlin first emerged as a credential and cryptocurrency wallet stealer in early 2023. Earlier versions relied on basic obfuscation and often were detected quickly by antivirus engines.

This new variant marks a substantial escalation. It uses advanced packers, string encryption, and control-flow obfuscation to avoid signature-based detection.

How the Attack Works

The malware arrives through phishing emails or malicious downloads. Once executed, it extracts its payload from resource sections (.rsrc) of portable executable files.

Three primary capabilities define this variant:

• Advanced obfuscation: Multiple layers of encryption and junk code prevent static analysis.
• Crypto clipping: The malware monitors clipboard activity and replaces cryptocurrency wallet addresses with attacker-controlled addresses.
• Session hijacking: It steals browser cookies and authentication tokens to gain persistent access to online accounts.

“The combination of crypto clipping with session hijacking is particularly dangerous,” explained the Unit 42 analyst. “Attackers can steal funds while also maintaining a foothold in the victim’s accounts.”

What This Means

End users and enterprises must adopt stricter security measures. For individuals, manually verifying cryptocurrency addresses before sending transactions is critical.

Organizations should deploy behavior-based detection tools and restrict the execution of resource-packed executables. “Traditional antivirus alone will not catch this variant,” the analyst noted. “Security teams need to monitor for unusual clipboard activity and session anomalies.”

The threat is real and already in the wild. Unit 42 expects this variant to spread rapidly given its stealth and effectiveness.

1. Update antivirus definitions and enable real-time protection.
2. Implement endpoint detection and response (EDR) solutions.
3. Educate users about phishing lures that lead to resource-packed payloads.

“We recommend immediate action,” urged the Unit 42 researcher. “The time to harden defenses is now, before Gremlin becomes widespread.”

This article is based on findings from Unit 42’s latest threat intelligence report.