10 Evolving Tactics of the Gremlin Stealer: How It Conceals Itself in Resource Files

In the ever-shifting landscape of cyber threats, the Gremlin stealer has emerged as a particularly cunning adversary. Originally documented by Unit 42, this information-stealing malware has evolved dramatically, employing advanced obfuscation, crypto clipping, and session hijacking to compromise sensitive data. But that's just the beginning. As researchers peel back the layers, they've uncovered a host of sophisticated techniques designed to hide in plain sight—often by leveraging seemingly benign resource files. In this article, we break down the ten key tactics that define the modern Gremlin stealer, offering a comprehensive look at how it operates and how defenders can stay one step ahead.

1. Hiding in Plain Sight Using Resource Files

Gremlin's most distinctive tactic involves embedding malicious code within legitimate resource files—such as icons, images, or version information—that are part of standard Windows executables. By concealing payloads in these unsuspecting areas, the stealer bypasses many traditional signature-based detection systems. Security tools often overlook resource sections, assuming they contain harmless metadata. This allows Gremlin to execute its malicious routines without raising immediate red flags. Defenders must now scrutinize resource sections with the same rigor as code segments.

2. Advanced Obfuscation to Evade Detection

The latest Gremlin variants employ multi-layered obfuscation techniques, including string encryption, control-flow flattening, and dead-code insertion. These methods make static analysis extremely difficult, as the true intent of the code is hidden beneath layers of noise. Dynamic analysis is also challenged by runtime decryption routines that only reveal malicious behavior under specific conditions. This evolution forces security teams to deploy advanced behavioral detection and sandboxing technologies that can emulate execution environments.

3. Crypto Clipping for Cryptocurrency Theft

One of Gremlin's most lucrative features is its crypto-clipping capability. The stealer monitors clipboard activity for cryptocurrency wallet addresses and replaces them with attacker-controlled addresses during transactions. This real-time swap happens silently, often without the user noticing until funds are lost. Gremlin targets multiple currencies, including Bitcoin, Ethereum, and Litecoin, and updates its list of target addresses via remote configuration, making it a persistent threat to digital asset holders.

4. Session Hijacking to Steal Authentication Tokens

Beyond stealing passwords, Gremlin focuses on session tokens and cookies—the keys to maintaining authenticated sessions. By extracting OAuth tokens and session cookies from browsers, the malware can bypass multi-factor authentication and gain persistent access to web services. This technique allows attackers to impersonate victims across platforms like email, social media, and cloud storage without needing credentials. It is particularly effective against organizations that rely solely on MFA at the initial login.

5. Persistent Data Exfiltration via Encrypted Channels

Once data is collected, Gremlin exfiltrates it using encrypted communication channels that mimic legitimate HTTPS traffic. It often leverages custom encryption or TLS to blend in with normal web traffic, making it difficult for network monitors to spot anomalies. The malware can also throttle data transfers to avoid triggering bandwidth alerts. This persistence ensures that stolen information—from credentials to personal financial data—leaks out slowly over time, reducing the chance of detection.

6. Privilege Escalation for Greater Access

Gremlin frequently includes privilege escalation exploits to move from user-level to system-level access on compromised machines. By using techniques like UAC bypass or leveraging known vulnerabilities (e.g., CVE-2021-1732), the stealer gains higher permissions. This allows it to disable security software, access protected system areas, and extract data from all user accounts on the same device. Elevation is typically achieved via a small payload that runs immediately after initial infection.

7. Stealthy Command-and-Control Communication

The command-and-control (C2) infrastructure of modern Gremlin variants uses domain generation algorithms (DGAs) and fast-flux hosting to avoid takedowns. The malware communicates using HTTP/HTTPS with randomized headers and payload lengths to evade pattern-based detection. Additionally, it employs low-and-slow communication, sending small packets at irregular intervals to stay under the radar. C2 responses are often padded with junk data to further obscure the real commands.

8. Targeting Browser Credentials and Cookies

Gremlin systematically harvests stored credentials, autofill data, and cookies from major browsers like Chrome, Firefox, Edge, and Brave. It decrypts the local storage—often using built-in browser APIs or direct memory reading—and exports the data into structured files. The malware prioritizes passwords for banking, email, and social media sites, as these provide the highest return for identity theft and account takeover. It also captures saved credit card details.

9. Use of Legitimate Tools for Lateral Movement

To spread within a network, Gremlin often repurposes legitimate system tools such as PowerShell, PsExec, and Windows Management Instrumentation (WMI). It uses these tools to copy itself to other machines, schedule tasks, or execute remote commands—all under the guise of normal administrative activity. This living-off-the-land approach reduces the need for custom malware and minimizes forensic footprints, making attribution more challenging.

10. Evolving Evasion Techniques: Anti-Debug and Anti-VM

Gremlin's developers continuously update evasion mechanisms to outpace security tools. The stealer checks for sandboxed environments by looking for virtual machine artifacts (e.g., VMWare, VirtualBox) and debugging tools. It also detects uncommonly low CPU cores or small screen resolutions, which are typical of automated analysis. If such conditions are found, the malware may display benign behavior or crash intentionally, waiting for a more favorable real-world environment before activating its malicious payload.

The evolution of the Gremlin stealer underscores a crucial lesson: cyber threats are not static. By embedding itself in resource files and adopting a multifaceted toolkit—from obfuscation and crypto clipping to session hijacking and lateral movement—Gremlin represents a formidable challenge. Understanding these ten tactics is the first step toward building effective defenses. Organizations should invest in endpoint detection that inspects resource sections, implement robust session management practices, and maintain up-to-date threat intelligence. As attackers grow stealthier, so must our vigilance.