A new version of the Gremlin stealer has evolved from a basic credential harvester into a modular toolkit, according to researchers at Palo Alto Networks’ Unit 42. The infostealer first emerged in April 2025, now just 12 months later the threat has rapidly evolved with new obfuscation techniques and new anti-analysis safeguards into recent builds. Gremlin stealer siphons sensitive information from compromised systems and exfiltrates it to attacker‑controlled servers for potential publication or sale. It targets web browsers, system clipboard and local storage. The new variant has an increased focus on stealth and is specifically designed to evade static analysis tools, according to the research. This includes the malware authors shifting the malicious payload into the .NET Resource section, masking it with XOR encoding to bypass signature-based detection and heuristic scanning. The core architecture and exfiltration methods via private web panels or the Telegram Bot API remain consistent with older versions. The new variant exfiltrates stolen data to a newly deployed site (hxxp[:]194.87.92[.]109). What is troubling is that Unit 42’s analysis said when it discovered the new data publication site, VirusTotal showed zero detection of the new site, its associated URLs or any retrieved artifacts. There were no block list entries, community reports or malicious categorizations. After data theft, the malware bundles harvested artifacts into a ZIP archive, including: The malware names the file using the victim’s public IP address to identify the source and then uploads it to the attacker-controlled site.