Gremlin Stealer Malware Targets Browsers, Crypto Wallets, and VPNs in Telegram-Based Campaign
Ddos 
Gremlin Stealer login page | Image: Unit 42
Researchers at Palo Alto Networks’ Unit 42 have unveiled a new, actively developed malware strain dubbed Gremlin Stealer, a powerful C#-based infostealer that has rapidly gained traction since its emergence in March 2025. The malware, promoted and distributed via a Telegram group called CoderSharp, is tailored to extract a wide range of sensitive information from compromised Windows systems.
“Gremlin Stealer exfiltrates data from its victims and uploads this information to its web server for publication,” Unit 42 explains.
Unlike many infostealers that target a few data types, Gremlin Stealer casts a wide net. Its capabilities include stealing:
- Browser data (cookies, saved passwords, autofill forms, credit card data)
- Clipboard contents
- Cryptocurrency wallet files (e.g., Litecoin’s wallet.dat)
- VPN and FTP credentials
- Session data from Telegram, Discord, and Steam
- System information (RAM, CPU, GPU, hardware ID, IP address)
- Screenshots of user activity
“The malware can steal data from a wide range of software,” Unit 42 emphasized, noting support for both Chromium- and Gecko-based browsers.
One of Gremlin Stealer’s most potent features is its ability to bypass Google Chrome’s V20 cookie protection, a safeguard designed to prevent unauthorized cookie extraction. Using its V20Collect and GetCookies functions, the malware scrapes cookie data and stores it in plaintext under LOCAL_APP_DATA, as shown in the report’s dnSpy screenshots.
“This is a common technique that has been used by many information stealers,” the researchers noted, despite Google’s updates to the Chrome browser intended to block this method.
Gremlin Stealer scours the local file system and Windows Registry for crypto wallet data, including wallets for Litecoin, Bitcoin, Monero, and others. When it finds them, it copies the key wallet files to a temporary directory for later exfiltration.
“Gremlin Stealer checks for various cryptocurrency wallets and steals files from each directory,” including files associated with specific crypto-related domain names.
After gathering all stolen data into ZIP archives, Gremlin Stealer sends it to a command-and-control (C2) server hosted at 207.244.199[.]46, and also uploads the data using a Telegram bot embedded with a hardcoded API key.
“The Gremlin Stealer website currently displays 14 files… described as ZIP archives of stolen data,” the report details, referring to the malware’s backend web portal.
The malware’s web interface includes options to download or delete stolen victim files, hinting at potential service offerings such as cybercrime-as-a-service or affiliate resale models.
Despite being relatively new, Gremlin Stealer demonstrates a high level of polish. It doesn’t require external downloads during execution, a tactic that helps it avoid detection, and its modular code shows clear signs of ongoing development.
“Its build process does not download anything from the internet,” a detail that makes Gremlin Stealer especially stealthy.
This self-contained design—along with frequent feature updates posted to Telegram—indicates a malware author who is both capable and active in refining their toolset.
As with other infostealers, prevention hinges on multi-layered defense strategies. Palo Alto Networks emphasizes the use of both dynamic behavioral analysis and payload-based signatures to detect and block such threats. Organizations are advised to:
- Monitor for anomalous outbound connections
- Block known C2 infrastructure
- Educate users about malicious attachments or links
- Harden browser and system configurations
“There are many approaches to protecting customers from these evolving attacks,” Unit 42 concludes, referencing Palo Alto’s multi-faceted detection technologies.
Donate