Gremlin Malware Hides C2 URLs in Encrypted Sections

A newly discovered version of the Gremlin stealer malware has raised concerns by concealing its command-and-control (C2) addresses and data exfiltration paths within encrypted sections of a compiled program. This sophisticated technique complicates detection through traditional scanning methods, allowing the malware to operate covertly on compromised systems before exfiltrating sensitive information.

The Evolution of Gremlin Stealer

Initially surfacing on underground forums as a plug-and-play credential theft tool, Gremlin stealer targets a variety of data sources. These include web browsers, clipboard contents, and local storage, from which it extracts payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP and VPN credentials. After collecting this information, the malware compresses it into a ZIP file named after the victim’s public IP address and discreetly uploads it to an attacker-controlled web panel for further exploitation or resale.

According to a report from Unit 42, the threat intelligence arm of Palo Alto Networks, a new Gremlin variant has been identified transmitting stolen data to a recently established server at hxxp[:]194.87.92[.]109. At the time of its discovery, none of the security vendors on VirusTotal had flagged the server as malicious, indicating the infrastructure remained undetected.

Advanced Tactics and Broadened Targets

This variant marks a significant advancement in stealth tactics. Previous iterations of Gremlin lacked obfuscation, with function names and class labels plainly visible. The latest versions employ sophisticated anti-analysis techniques to thwart both automated tools and human researchers. The malware’s targeting scope has also expanded. Beyond its traditional focus on browser credentials and cryptocurrency wallets, it now includes a module specifically designed to capture Discord tokens, granting attackers access to victims’ online accounts.

Additionally, a clipboard hijacker has been integrated, silently replacing any cryptocurrency wallet address copied by the victim with one belonging to the attacker, thereby redirecting funds in real-time.

Technical Innovations in Data Concealment

A pivotal technical modification involves the storage of the malware’s core configuration. Rather than embedding C2 URLs as easily readable strings, the creators have relocated this data into the .NET resource section, obscured with XOR encoding. This resource block appears as an indecipherable mass of raw data to static analysis tools. However, when researchers employed a single-byte XOR decryption method, they uncovered the plaintext configuration, including hard-coded server addresses and upload paths.

This strategy mirrors those used by malware families such as Agent Tesla, GuLoader, LokiBot, and Quasar RAT, which utilize the resource section to conceal their payloads. The current variant also adopts a staged loading approach, decrypting and loading each function into memory only when necessary. This necessitates the use of live debugging tools to observe the malware’s true behavior, as static analysis reveals nothing of value.

Implications for Cybersecurity Strategies

Beyond hiding C2 data within resources, this variant employs three distinct obfuscation layers to impede analysis. The first involves renaming identifiers, replacing every class, method, and variable with an arbitrary short label, effectively stripping away any contextual clues. The second layer encrypts strings, ensuring that readable words like “password” or server addresses do not appear in the code. These strings are decrypted at runtime using an internal function, thwarting keyword searches.

The third obfuscation layer introduces control-flow complexity, cluttering the decompiled output with fake branches, unnecessary loops, and goto jumps that lead nowhere meaningful. Despite the underlying logic often being a straightforward series of steps, the surrounding noise makes the code appear deceptively complex.

Organizations are strongly advised to adopt behavioral detection tools instead of relying solely on signature-based scanning, as this malware is specifically engineered to circumvent static analysis.