Gremlin Stealer Malware Evolves with Resource‑File Obfuscation, Targeting Payment Data and Credentials
What Happened – Gremlin Stealer’s latest variant embeds its malicious payload inside benign‑looking resource files and runs it on a custom virtual machine created by a commercial packer. The technique defeats static analysis and evades many traditional AV detections.
Why It Matters for TPRM –
- The malware harvests payment‑card numbers, browser cookies, session tokens, cryptocurrency wallets, and VPN/FTP credentials – data that third‑party vendors often process on behalf of clients.
- Its new anti‑analysis layer reduces the effectiveness of existing endpoint‑security controls, increasing the risk of undetected compromise across supply‑chain environments.
- Exfiltration to a previously unknown command‑and‑control site (194.87.92.109) shows the threat actor’s ability to quickly spin up fresh infrastructure, complicating block‑list defenses.
Who Is Affected – Financial services, payment processors, cryptocurrency platforms, SaaS providers handling browser‑based authentication, and any organization that stores or transmits payment‑card or credential data on employee workstations.
Recommended Actions –
- Review endpoint‑security controls for anti‑VM and anti‑packer capabilities; consider solutions that inspect embedded resources.
- Validate that third‑party vendors employ up‑to‑date malware‑blocking stacks (e.g., advanced WildFire, Cortex XDR).
- Enforce least‑privilege access to browsers, clipboard, and credential stores; monitor outbound traffic to unknown IPs.
Technical Notes – The variant uses instruction virtualization: original code is transformed into a proprietary bytecode executed by a private VM, making signature‑based detection difficult. Payloads are hidden in PE resource sections and are unpacked at runtime. Exfiltration occurs via HTTPS to a new site (hxxp://194.87.92.109) with zero detections on VirusTotal at time of writing. Source: Palo Alto Unit 42 – Gremlin Stealer Evolution