Gremlin Stealer
Gremlin Stealer is a C#/.NET information-stealing malware family active since at least March 2025 and sold via Telegram, including through the CoderSharp channel, as a ready-to-use tool with associated backend infrastructure. Reporting describes it as an evolving infostealer, likely a variant of Sharp Stealer, with a code base strikingly similar to Hannibal Stealer, and undergoing active development.
It targets Windows systems and steals a broad range of data, including browser cookies, passwords, payment card data, form/autofill data, session tokens, cryptocurrency wallet data, clipboard contents, FTP credentials, VPN credentials, Telegram session data, Discord tokens or session data, screenshots, and host information such as username, processor, hardware ID, RAM, CPU, GPU, and IP address. It supports theft from Chromium-based and Gecko-based browsers, includes functionality to bypass Chrome cookie v20 protections, and newer reporting also describes WebSocket-based browser session hijacking to bypass modern cookie protections. Additional capabilities include checking wallet directories and registry entries such as Litecoin-related keys, copying wallet files like wallet.dat, and a clipboard hijacker that replaces copied cryptocurrency wallet addresses with attacker-controlled addresses.
Operationally, Gremlin Stealer stages stolen data as plain-text files under LOCAL_APP_DATA, compresses the collected data into ZIP archives, and uploads the archives to attacker-controlled infrastructure via HTTP POST. Observed infrastructure includes 207.244.199[.]46 with uploads to /index.php and a configurable web panel that displayed stolen ZIP archives, as well as 194.87.92[.]109 with exfiltration to /i.php. Reporting also notes use of the Telegram Bot API with a hard-coded Telegram API key, and sandbox observations showed connections to api.telegram.org/bot endpoints. In newer variants, the ZIP archive may be named after the victim's public IP address.
Recent variants use stronger anti-analysis and evasion techniques. These include hiding C2 addresses and exfiltration paths in XOR-encoded .NET resource sections, staged loading where functions are decrypted and mapped into memory only when needed, identifier renaming, string encryption, control-flow obfuscation, embedded resource concealment, and in some samples commercial packers with instruction virtualization. Older samples reportedly lacked these protections and exposed symbols and function names in plain text.
High-confidence indicators mentioned in the content include the URLs hxxp[:]//207.244.199[.]46/index.php and hxxp[:]//194.87.92[.]109/i.php, the server IPs 207.244.199[.]46 and 194.87.92[.]109, and the following SHA-256 hashes: d1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132, 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b, 9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614, 971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759, ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd, f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346, a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd, 691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3, 281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2, 9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20, d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c, and 1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A newly analyzed variant of the Gremlin stealer malware has raised alarms by hiding its command-and-control (C2) addresses and data exfiltration paths inside encrypted resource sections of a compiled program.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
6 techniques
Stealth
Beyond hiding C2 data in resources, this variant uses three distinct obfuscation layers to slow down analysis. The first is identifier renaming... The second layer is string encryption... The third layer is control-flow obfuscation...
We uncovered an iteration of Gremlin stealer ( SHA256 2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b ) packed using a packing utility.
The file’s reported creation date — 2041-06-29 19:48:00 UTC — is set in the future. This is a common anti-analysis technique used by malware authors to bypass certain detection mechanisms or confuse automated analysis pipelines.
When researchers applied a single-byte XOR decryption routine, they recovered the plaintext configuration including hard-coded server addresses and upload paths.
Credential Access
5 techniques
Credential Access
This crypto clipper functionality continuously monitors the system clipboard for strings matching cryptocurrency wallet patterns. When it detects a match, the malware replaces the victim's address with the attacker’s wallet in real time
Gremlin stealer includes a dedicated Discord token extraction module
The first feature advertised for Gremlin Stealer is that it bypasses Chrome’s cookie v20 protection... demonstrates how it bypasses Chrome's cookie V20 protection and obtains cookie-related information.
Discovery
2 techniques
Discovery
Collection
6 techniques
Collection
This information-stealing malware exfiltrates data from its victims and uploads this information to its web server for publication.
This crypto clipper functionality continuously monitors the system clipboard for strings matching cryptocurrency wallet patterns. When it detects a match, the malware replaces the victim's address with the attacker’s wallet in real time
It can capture data from browsers, the clipboard and the local disk to steal sensitive data
The WebSocket-based session hijacking module represents its most significant technical upgrade. This allows Gremlin stealer to hijack active, live browser sessions and bypass modern cookie protections by requesting the data directly from the running browser process.
Command and Control
4 techniques
Command and Control
The most significant technical change is where the malware stores its core configuration. Rather than embedding C2 URLs as readable strings, the authors have moved that data into the .NET resource section, scrambled with XOR encoding.
Figure 19 shows a TCP stream of an HTTP POST request that Gremlin Stealer makes when sending stolen information to its server.
IOCs tracked for this family
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-stealing malware sold on underground forums that targets web browsers, clipboard contents, local storage, payment card details, browser cookies, session tokens, cryptocurrency wallet data, FTP and VPN credentials, and Discord tokens. It exfiltrates stolen data in a ZIP archive to an attacker-controlled web panel and includes a clipboard hijacker to swap cryptocurrency wallet addresses.
Named stealer mentioned only as related/next content; no substantive analysis in the article itself.
Infostealer malware focused on stealing sensitive data including browser cookies, payment details, cryptocurrency wallets, and VPN credentials, then packaging the stolen information into archives for exfiltration to attacker-controlled infrastructure. It uses advanced obfuscation and anti-analysis techniques to evade detection.
Gremlin Stealer is an information-stealing malware family that harvests browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, and FTP/VPN credentials, then exfiltrates the data to attacker-controlled infrastructure. The latest variants add Discord token theft, WebSocket-based browser session hijacking, clipboard wallet replacement for cryptocurrency theft, staged loading from .NET resources, XOR-obfuscated payloads, and heavy anti-analysis protections including packing, identifier renaming, string encryption, and control-flow obfuscation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.