Gremlin Stealer, a new infostealer variant, has emerged, gaining attention for its advanced capabilities. According to Palo Alto Networks’ Unit 42, the malware is primarily promoted through a Telegram channel called CoderSharp. Although still under development, it is already capable of stealing data from various software on Windows devices, including browsers, clipboard data, and local disks. The malware’s capabilities allow it to target a broad range of sensitive information, making it a serious security threat.
The malware is written in C# and exfiltrates data to a web server for publication. Gremlin Stealer is designed to bypass protections like Chrome’s cookie V20 and does not rely on downloading additional content from the internet. It collects data such as clipboard content, screenshots, device metadata (like IP address and system specs), and various credentials from browsers, crypto wallets, FTP services, and VPNs. This extensive data collection gives the malware the ability to steal a wide range of personal and sensitive information.
Once the data is collected, Gremlin Stealer stores it in plain text files in a folder under LOCAL_APP_DATA. The files are then compressed into a ZIP archive and transmitted to a server through a hard-coded Telegram API key. The server, hosted at 207.244.199[.]46, facilitates the uploading of stolen data. The data is accessible via a web portal that hosts ZIP archives containing the stolen files. Victims’ data can be deleted or downloaded by those behind the malware.
Researchers note that the malware’s growing reach is alarming, as its use of Telegram for data exfiltration provides a reliable communication channel for the attackers. With the ability to steal diverse types of sensitive information, Gremlin Stealer poses significant risks to individuals and organizations. The ongoing development of the malware suggests that it could evolve into an even more dangerous threat if not swiftly addressed.
