A new information-stealing malware, dubbed Gremlin Stealer, has surfaced on prominent hacker forums and dedicated Telegram channels, posing a significant threat to sensitive user data such as credit card information and login credentials.
First identified by Unit 42 researchers in March 2025, Gremlin Stealer is developed in C# and actively promoted via the Telegram group “CoderSharp,” where its authors provide regular feature updates and facilitate sales.
Gremlin Stealer is engineered to exfiltrate a broad array of data from compromised Windows machines.
The malware specifically harvests information from popular browsers-including cookies, saved passwords, autofill data, and credit card details-by bypassing Chrome’s cookie v20 protection.
It also targets the clipboard, local disks, and system information, extracting cryptowallet files, File Transfer Protocol (FTP) credentials, and virtual private network (VPN) configurations.
Communication platforms are not immune, as the malware includes modules to capture Telegram and Discord session tokens, as well as Steam authentication data.
The backend infrastructure supporting Gremlin Stealer is both robust and user-friendly, featuring a web portal hosted at 207.244.199[.]46.
This portal serves as a repository for stolen data, which is organized into downloadable ZIP archives, and offers attackers granular controls, such as deleting or managing exfiltrated information.
The dashboard interface displays real-time metrics, including data volume and activity logs, highlighting the ongoing development and operational sophistication of the malware’s ecosystem.
Telegram for Distribution and Backend Operations
Technical analysis of Gremlin Stealer reveals its modular design adapted for maximum stealth and efficiency.
The malware operates autonomously without requiring further downloads post-deployment, reducing its network footprint and limiting opportunities for detection.
The codebase includes specialized routines for extracting sensitive data: for instance, it leverages the GetCookies function within the V20Collect class to circumvent enhanced cookie encryption in Chromium browsers, as well as corresponding modules for Gecko-based browsers.
In the context of cryptocurrency theft, Gremlin Stealer searches for wallet files pertinent to Bitcoin, Ethereum, Litecoin, and other major assets, copying sensitive data such as wallet.dat files for subsequent exfiltration.
To transmit the pilfered information, Gremlin Stealer aggregates data into ZIP archives stored temporarily in the LOCAL_APP_DATA directory before uploading them to its command-and-control server via HTTP POST requests.
Additionally, the malware utilizes a Telegram bot-equipped with a hard-coded API key-to send stolen data in real time to attackers, further complicating efforts at network-level interception.
The continued advertisement and sale of Gremlin Stealer on Telegram, coupled with the operational backend for managing stolen data, underscore a growing trend among cybercriminals to package sophisticated infostealers with accessible management tools.
Palo Alto Networks and affiliated researchers emphasize the importance of employing advanced detection and prevention technologies, including behavioral analytics and dynamic threat intelligence, to mitigate risks associated with such rapidly evolving threats.
As Gremlin Stealer continues its active campaign, organizations and individuals are urged to strengthen endpoint protection, monitor for unusual exfiltration attempts, and remain vigilant against the proliferation of malware distributed through social media and underground channels.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
