{ "id": "23876668-548b-4059-aa08-5423f9e6b313", "created_at": "2026-04-06T00:11:16.594153Z", "updated_at": "2026-04-10T03:36:47.65234Z", "deleted_at": null, "sha1_hash": "19d3073e1c841388417a4d8f73c88075508df484", "title": "Gremlin Stealer: New Stealer on Sale in Underground Forum", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2487699, "plain_text": "Gremlin Stealer: New Stealer on Sale in Underground Forum\r\nBy Pranay Kumar Chhaparwal, Benjamin Chang\r\nPublished: 2025-04-29 · Archived: 2026-04-05 16:21:57 UTC\r\nExecutive Summary\r\nUnit 42 researchers have identified information-stealing malware written in C#, called Gremlin Stealer. This\r\nmalware appears to be a variant of Sharp Stealer, displaying a code base strikingly similar to Hannibal Stealer.\r\nThis stealer’s seller has actively advertised it on a Telegram group since mid-March 2025.\r\nThis information-stealing malware exfiltrates data from its victims and uploads this information to its web server\r\nfor publication. It can capture data from browsers, the clipboard and the local disk to steal sensitive data such as\r\ncredit card details, browser cookies, crypto wallet information, File Transfer Protocol (FTP) and virtual private\r\nnetwork (VPN) credentials.\r\nPalo Alto Networks customers are better protected from Gremlin Stealer through our Network Security solutions\r\nand Cortex line of products, including Cortex XDR and XSIAM, Advanced WildFire, Advanced Threat\r\nPrevention, Advanced URL Filtering and Advanced DNS Security.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nMalware Advertisement\r\nGremlin Stealer’s authors predominantly distribute it through a Telegram channel named CoderSharp. Gremlin\r\nStealer has a code layout comparable to Hannibal Stealer, which is reportedly a variant of Sharp Stealer. This\r\nmalware is undergoing active development.\r\nSales and Feature Advertisement on Telegram\r\nThe description of Gremlin Stealer asserts that the malware can steal data from a wide range of software. Figure 1\r\nshows a Telegram post advertising Gremlin Stealer.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 1 of 12\n\nFigure 1. Telegram post advertising Gremlin Stealer.\r\nPublished Stolen Data\r\nThe group behind Gremlin Stealer claims to have uploaded vast amounts of data from its victims' machines to its\r\nserver at 207.244.199[.]46. We assess this server is a configurable portal that comes with the sale of the malware.\r\nFigure 2 shows a screenshot of Gremlin Stealer’s website login page.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 2 of 12\n\nFigure 2. Gremlin Stealer login page.\r\nThe Gremlin Stealer website currently displays 14 files. The authors of the website describe these files as ZIP\r\narchives of stolen data from victims' machines, with options to delete or download the archives.\r\nAs indicated by the timestamps in Figure 3, Gremlin Stealer has been active since March 2025.\r\nFigure 3. Gremlin Stealer site showing entries for stolen victim data.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 3 of 12\n\nThe web interface shown in Figure 3 also demonstrates the user interface of the backend infrastructure that comes\r\nwith the purchase of this malware.\r\nTechnical Analysis\r\nWe have monitored Gremlin Stealer since we initially discovered it in March 2025. The functions of this stealer\r\nfrom Figure 1 are listed below.\r\nStealer functions\r\nBasic features include:\r\nBypassing Chrome cookie V20 protection\r\nIts build process does not download anything from the internet\r\nStealing functionality targets the following:\r\nPopular browsers (e.g., cookies, passwords, cards, forms)\r\nPopular cryptocurrencies\r\nClipboard data\r\nFTP services\r\nSteam (token and session data)\r\nPopular VPN services\r\nTelegram session data\r\nDiscord tokens (spot search by browsers)\r\nScreenshots\r\nSpecified information from victim PC (e.g., BSID, HVID, RAM, CPU, GPU and IP address)\r\nBypass Chrome Cookie V20 Protection\r\nThe first feature advertised for Gremlin Stealer is that it bypasses Chrome’s cookie v20 protection. Figure 4 shows\r\ncode snippets from a Gremlin Stealer sample viewed in dnSpy.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 4 of 12\n\nFigure 4. GetCookies function from a Gremlin Stealer sample shown in dnSpy.\r\nThis view shows the GetCookies function under a V20Collect class, which demonstrates how it bypasses\r\nChrome's cookie V20 protection and obtains cookie-related information. This is a common technique that has\r\nbeen used by many information stealers. Google made changes to prevent the use of this technique, as detailed in\r\nthe post, “Changes to remote debugging switches to improve security.”\r\nBelow, Figure 5 shows the writteCookieToFile function that writes stolen information into a text file under the\r\nLOCAL_APP_DATA folder for uploading to Gremlin's server. The text file contains the associated domain, name,\r\nvalue, path and expiration date for each of the cookies.\r\nFigure 5. GetCookies function from a Gremlin Stealer sample in dnSpy.\r\nSupport for Chromium and Gecko Browsers\r\nGremlin Stealer checks for cookies and saved passwords from an extensive list of Chromium- and Gecko-based\r\nbrowsers and writes them into a file to be exfiltrated later.\r\nBelow, Figure 6 shows a code snippet from the ChromiumBrowsers function with a list of Chromium-based\r\nbrowsers it steals from. A RunBrowserv20 function is also called to handle newer cookie encryption called \"v20\"\r\nin Chromium-based browsers. There is also an equivalent function built to handle a list of Gecko-based browsers.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 5 of 12\n\nFigure 6. ChromiumBrowsers function.\r\nCryptocurrency Wallet Stealer\r\nFigure 7 shows that Gremlin Stealer checks for various cryptocurrency wallets and steals files from each directory.\r\nFigure 7. List of cryptocurrency wallets targeted by Gremlin Stealer.\r\nTaking Litecoin as an example, Gremlin Stealer checks for a related registry entry. If found, it copies the\r\nwallet.dat file to a temporary directory, as illustrated in Figure 8 below.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 6 of 12\n\nFigure 8. Gremlin Stealer's Litecoin wallet stealing function.\r\nAs Figure 9 shows, Gremlin Stealer searches for files containing a list of domains associated with each\r\ncryptocurrency in specific folders and then duplicates these files for later exfiltration. It also creates a hash list\r\nrepresenting the data to be exported.\r\nFigure 9. Cryptocurrency-related domains that Gremlin Stealer searches for.\r\nFTP Credentials\r\nGremlin Stealer attempts to steal FTP usernames and passwords. Figure 10 shows a decompiled code snippet for\r\nthe TotalCommander FTP credential-stealing function.\r\nFigure 10. Gremlin Stealer code snippet for copying TotalCommander files.\r\nVPN Credentials\r\nGremlin Stealer also obtains username, password and configuration files from popular VPN clients. Figure 11\r\nshows a code snippet of the VPN stealing function.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 7 of 12\n\nFigure 11. Gremlin Stealer code snippet for stealing VPN data.\r\nTelegram and Discord Sessions\r\nGremlin Stealer also targets data and session information from Telegram and Discord to upload to its configured\r\nserver.\r\nFigures 12 and 13 show code snippets for stealing information from Telegram and Discord.\r\nFigure 12. Gremlin Stealer code snippet for Telegram data stealing function.\r\nFigure 13. Gremlin Stealer code snippet for Discord sessions stealing function.\r\nSystem Information\r\nGremlin Stealer creates a text file that contains system information (e.g., PC username, clipboard data, processor\r\ninformation and hardware ID), as shown below in Figure 14.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 8 of 12\n\nFigure 14. Gremlin Stealer code snippet for system information stealing function.\r\nCredit Card Information Stealing\r\nThis malware also steals credit card information and sends the data to its server. Figure 15 shows a code snippet of\r\nGremlin Stealer's function to steal credit card information.\r\nFigure 15. Gremlin Stealer code snippet for the function to steal credit card information.\r\nUploading the Victim’s Files to Gremlin Stealer's Server\r\nFigure 16 shows that Gremlin Stealer creates a folder under LOCAL_APP_DATA to store the following in plain\r\ntext files:\r\nSaved passwords\r\nCookies\r\nAutofill data\r\nScreenshots\r\nSystem information\r\nDiscord sessions\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 9 of 12\n\nTelegram sessions\r\nFTP and VPN credentials\r\nCryptocurrency wallets data\r\nFigure 16. Gremlin Stealer sends all stolen data to a private server.\r\nThese texts are gathered into a ZIP archive, which is sent to its server through the URL\r\nhxxp[:]//207.244.199[.]46/index.php, shown in Figure 17.\r\nFigure 17. Code snippet with URL for Gremlin Stealer server.\r\nGremlin Stealer sends this data using the Telegram bot shown in Figure 18. It uploads the stolen data to the server\r\nusing a hard-coded Telegram API key.\r\nFigure 18. Gremlin Stealer code snippet with URL for Telegram bot.\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 10 of 12\n\nFigure 19 shows a TCP stream of an HTTP POST request that Gremlin Stealer makes when sending stolen\r\ninformation to its server. It sends the information as a ZIP archive that contains all the data stolen from the\r\nvictim's Windows host.\r\nFigure 19. TCP stream of an HTTP POST request for a ZIP archive being uploaded to the Gremlin\r\nStealer server.\r\nConclusion\r\nGremlin Stealer is new malware that has been active since March 2025. This malware searches for a variety of\r\napplications on a victim's Windows computer, and our code analysis confirms the specific applications targeted.\r\nStealers of this type are well-known entities in the threat landscape, and there are many approaches to protecting\r\ncustomers from these evolving attacks. Palo Alto Networks diligently monitors these campaigns, utilizing a range\r\nof static and dynamic techniques to detect and prevent them.\r\nThese methods include dynamic and behavioral detections, as well as more reactive signature or pattern-based\r\nsolutions.\r\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the IoCs shared in this research.\r\nAdvanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with\r\nthis activity as malicious.\r\nAdvanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real\r\ntime.\r\nCortex XDR and XSIAM are designed to:\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 11 of 12\n\nPrevent the execution of known malicious malware, and also prevent the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nProtect against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4.\r\nDetect post-exploit activity, including credential-based attacks, with behavioral analytics, through\r\nCortex XDR Pro.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 hash of the Gremlin Stealer sample analyzed for this article:\r\nd1ea7576611623c6a4ad1990ffed562e8981a3aa209717065eddc5be37a76132\r\nURLs:\r\nhxxp[:]//207.244.199[.]46/index.php\r\nUpdated May 9, 2025, at 10:05 a.m. PT to note Gremlin Stealer's similarities to other stealers.\r\nSource: https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nhttps://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/" ], "report_names": [ "new-malware-gremlin-stealer-for-sale-on-telegram" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434276, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/19d3073e1c841388417a4d8f73c88075508df484.pdf", "text": "https://archive.orkl.eu/19d3073e1c841388417a4d8f73c88075508df484.txt", "img": "https://archive.orkl.eu/19d3073e1c841388417a4d8f73c88075508df484.jpg" } }