For credit card data theft, Gremlin Stealer employs specialized functions that target stored payment information across multiple browsers. First spotted being advertised on underground forums and Telegram channels, Gremlin Stealer represents a concerning development in the information theft landscape as it combines multiple stealing capabilities in a single package. Once collected, this sensitive financial information is packaged with other stolen data and transmitted to the attacker’s server via an HTTP POST request, which shows the network traffic capture of stolen data being uploaded. The malware extracts cookies, saved passwords, autofill data, and perhaps most concerning, stored credit card information from victim machines. This sophisticated malware targets sensitive information including browser data, cryptocurrency wallets, and various login credentials. Customers protected by advanced security solutions like those from Palo Alto Networks can benefit from behavioral detection capabilities that identify and block such information-stealing malware before it can exfiltrate sensitive data. After infecting a system, Gremlin Stealer creates dedicated storage locations within the LOCAL_APP_DATA folder to temporarily store stolen information as plain text files before compressing everything into a ZIP archive. The malware operates by harvesting data from multiple sources on infected Windows machines, including popular web browsers, cryptocurrency wallets, messaging applications, and VPN services. What makes Gremlin Stealer particularly dangerous is its ability to bypass Chrome’s cookie V20 protection – a security feature specifically designed to prevent credential theft. The most concerning aspect of Gremlin Stealer is its sophisticated method for extracting sensitive financial information. This function establishes a connection and sends the message “{\”id\”: 1, \”method\”: \”Network.getAllCookies\”}” to retrieve all stored cookies, which are then written to a text file containing domain, name, value, path, and expiration information. Cybersecurity researchers have identified a new information-stealing malware called Gremlin Stealer that has been active in the wild since March 2025. Unit 42, the company’s threat intelligence team, has been tracking Gremlin Stealer since March 2025 and has conducted a comprehensive technical analysis of its functions and capabilities. The targeted theft of cryptocurrency wallet data also points to financial motivation behind the malware’s distribution, potentially leading to direct monetary losses for affected users. Gremlin Stealer login page, demonstrates how attackers can conveniently manage and download stolen information. It checks for an extensive list of Chromium and Gecko-based browsers, searches for specific cryptocurrency wallet files, and extracts configuration data from various FTP clients and VPN services. This comprehensive approach ensures that virtually no valuable credential or financial information escapes theft once a system is compromised.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Apr 2025 11:40:11 +0000