Cybersecurity researchers have identified a new information-stealing malware called Gremlin Stealer that has been active in the wild since March 2025.
This sophisticated malware targets sensitive information including browser data, cryptocurrency wallets, and various login credentials.
First spotted being advertised on underground forums and Telegram channels, Gremlin Stealer represents a concerning development in the information theft landscape as it combines multiple stealing capabilities in a single package.
.png
)
The malware operates by harvesting data from multiple sources on infected Windows machines, including popular web browsers, cryptocurrency wallets, messaging applications, and VPN services.
What makes Gremlin Stealer particularly dangerous is its ability to bypass Chrome’s cookie V20 protection – a security feature specifically designed to prevent credential theft.
The malware extracts cookies, saved passwords, autofill data, and perhaps most concerning, stored credit card information from victim machines.
Palo Alto Networks researchers identified the malware through monitoring of underground forums where it was being advertised for sale.
Unit 42, the company’s threat intelligence team, has been tracking Gremlin Stealer since March 2025 and has conducted a comprehensive technical analysis of its functions and capabilities.
Their research confirms the extensive data-stealing capabilities claimed in the advertisements.
.webp)
After infecting a system, Gremlin Stealer creates dedicated storage locations within the LOCAL_APP_DATA folder to temporarily store stolen information as plain text files before compressing everything into a ZIP archive.
This archive is then transmitted to a command-and-control server located at 207.244.199[.]46, where attackers can access victim data through a web interface.
Gremlin Stealer login page, demonstrates how attackers can conveniently manage and download stolen information.
The impact of this malware could be severe for victims, as compromised credentials can lead to account takeovers, financial fraud, and identity theft.
The targeted theft of cryptocurrency wallet data also points to financial motivation behind the malware’s distribution, potentially leading to direct monetary losses for affected users.
Technical Analysis of Credential and Credit Card Theft Mechanism
The most concerning aspect of Gremlin Stealer is its sophisticated method for extracting sensitive financial information.
.webp)
The malware’s code reveals how it bypasses Chrome’s cookie V20 protection through a GetCookies function that leverages WebSocket connections.
This function establishes a connection and sends the message “{\”id\”: 1, \”method\”: \”Network.getAllCookies\”}” to retrieve all stored cookies, which are then written to a text file containing domain, name, value, path, and expiration information.
For credit card data theft, Gremlin Stealer employs specialized functions that target stored payment information across multiple browsers.
.webp)
The malware includes specific code for decrypting and extracting credit card details.
Once collected, this sensitive financial information is packaged with other stolen data and transmitted to the attacker’s server via an HTTP POST request, which shows the network traffic capture of stolen data being uploaded.
The malware’s efficiency extends to its ability to target multiple applications simultaneously. It checks for an extensive list of Chromium and Gecko-based browsers, searches for specific cryptocurrency wallet files, and extracts configuration data from various FTP clients and VPN services.
This comprehensive approach ensures that virtually no valuable credential or financial information escapes theft once a system is compromised.
Customers protected by advanced security solutions like those from Palo Alto Networks can benefit from behavioral detection capabilities that identify and block such information-stealing malware before it can exfiltrate sensitive data.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
