CyberSecurity news
FlagThis
@unit42.paloaltonetworks.com
//
Researchers at Palo Alto Networks’ Unit 42 have discovered a new malware strain called Gremlin Stealer, actively being developed and sold on Telegram. The malware, written in C#, has been active since March 2025 and is designed to steal sensitive information from compromised systems. It is advertised on a Telegram channel named CoderSharp, where its authors actively promote its features and capabilities.
Gremlin Stealer targets a wide range of software to extract data from browsers, the clipboard, and the local disk. This includes sensitive data like credit card details, browser cookies, crypto wallet information, and VPN credentials. The malware has the ability to bypass Chrome cookie V20 protection, a feature designed to prevent unauthorized cookie extraction. It also actively scours the local file system and Windows Registry for crypto wallet data, targeting wallets for Litecoin, Bitcoin, Monero, and others.
Once the data is stolen, Gremlin Stealer uploads the information to a web server for publication. The group behind the malware claims to have uploaded vast amounts of data from victims' machines to their server at 207.244.199[.]46. This server is a configurable portal that comes with the sale of the malware. The Gremlin Stealer website currently displays 14 files, described as ZIP archives of stolen data from victims' machines, with options to delete or download the archives.
ImgSrc: media.infosec.e
References :
Gremlin Stealer targets a wide range of software to extract data from browsers, the clipboard, and the local disk. This includes sensitive data like credit card details, browser cookies, crypto wallet information, and VPN credentials. The malware has the ability to bypass Chrome cookie V20 protection, a feature designed to prevent unauthorized cookie extraction. It also actively scours the local file system and Windows Registry for crypto wallet data, targeting wallets for Litecoin, Bitcoin, Monero, and others.
Once the data is stolen, Gremlin Stealer uploads the information to a web server for publication. The group behind the malware claims to have uploaded vast amounts of data from victims' machines to their server at 207.244.199[.]46. This server is a configurable portal that comes with the sale of the malware. The Gremlin Stealer website currently displays 14 files, described as ZIP archives of stolen data from victims' machines, with options to delete or download the archives.
ImgSrc: media.infosec.e
Share:
References :
- Virus Bulletin: Unit 42 researchers analyse Gremlin, an infostealer that can capture data from browsers, clipboard & local disk to steal sensitive data such as credit card details, browser cookies, crypto wallet information, FTP & VPN credentials.
- securityonline.info: Researchers at Palo Alto Networks’ Unit 42 have unveiled a new, actively developed malware strain dubbed Gremlin Stealer,
- unit42.paloaltonetworks.com: Advertised on Telegram, Gremlin Stealer is new malware active since March 2025 written in C#. Data stolen is uploaded to a server for publication.
Classification:
- HashTags: #GremlinStealer #Malware #DataTheft
- Target: Users of browsers, crypto wallets, and VPNs
- Attacker: Gremlin Stealer
- Feature: Data theft
- Malware: Gremlin Stealer
- Type: Malware
- Severity: Major