Bypassing MFA: Gremlin Stealer Evolves into Advanced Memory-Resident Session Hijacker

Information stealers are no longer just basic, entry-level scripts designed to lift saved passwords from standard browser configurations. They have evolved into highly complex, memory-resident threats engineered to bypass modern endpoint controls and target authentication states directly.

A technical advisory published by the threat research team at Palo Alto Networks’ Unit 42 has exposed the inner workings of the latest variant of Gremlin stealer. The analysis reveals an aggressive technical evolution, showing how the malware has shifted from static database looting to active session hijacking and advanced defense evasion.

As Unit 42 emphasizes in the executive summary of its report:

“Gremlin stealer siphons sensitive information from compromised systems and exfiltrates it to attacker-controlled servers for potential publication or sale. It targets web browsers, system clipboard and local storage to exfiltrate sensitive information…”

Historically, infostealers harvested user credentials by reading static SQLite databases left on a device’s hard drive by standard web applications. However, the widespread adoption of hardware-backed encryption and strict local access control lists (ACLs) has forced malware authors to alter their strategy.

The newest generation of Gremlin completely circumvents disk-based database protections by targeting web browsers while they are actively running. Unit 42’s deep dive confirms that the malware now focuses heavily on capturing active session tokens directly out of volatile RAM:

“By transitioning from a simple data exfiltration tool to a more advanced modular stealer, Gremlin now targets Chromium-based browsers. It uses memory-resident techniques to hijack active session tokens and sensitive data directly from running processes, rather than relying solely on static database files.”

By stripping active session tokens straight from memory, the malware allows attackers to completely bypass multi-factor authentication (MFA) prompts. Once these stolen tokens are imported into a malicious browser instance, the threat actor can instantly impersonate the victim, gaining seamless access to corporate environments, private cloud consoles, and financial platforms.

The modular design of the updated Gremlin implant introduces multiple dedicated sub-modules engineered to aggressively monetize an infected endpoint, specifically targeting modern communication frameworks and cryptocurrency assets.

• Targeting Communication Hubs: The malware incorporates a specialized module built exclusively to scan and extract access tokens from chat platforms. As Unit 42 records, “This threat’s scope has broadened, as evidenced by a dedicated Discord token stealer. This module scans multiple paths and uses regex validation to compromise modern communication platforms.”
• Monetizing the Clipboard: In addition to collecting tokens, the malware places a persistent observer on the system clipboard to facilitate automated financial theft. The researchers write, “The malware’s author has also added a clipboard hijacker. This new monetization feature enables persistent financial fraud. It continuously monitors the clipboard, replacing cryptocurrency wallet addresses with attacker-controlled ones.”

To protect its new capabilities from static signature detection and automated reverse engineering, Gremlin relies heavily on complex code obfuscation. The latest builds heavily employ a technique known as control flow flattening.

This anti-analysis safeguard acts as a psychological and logical obstacle for security researchers. Unit 42 describes the structural effect of this defense:

“Why it’s effective: It breaks the logical flow that a person would expect to see. It makes it hard to determine which path the code will actually take, even though in many cases, there’s only one real path. This significantly increases the time and effort required for reverse engineering.”

In practice, the compiler rearranges the application’s natural sequential blocks, placing them inside an endless loop governed by a massive central switch statement. Basic asynchronous instructions are twisted into an intricate web of artificial jump labels and arbitrary goto commands, significantly increasing the time and resources an automated analyzer or individual analyst must invest to understand the payload.