Gremlin Stealer evolved — Unit 42 documents .NET XOR resource-section obfuscation, crypto-clipper, WebSocket browser-process session hijack

Palo Alto Networks Unit 42 published on 2026-05-15 an analysis of evolved variants of the Gremlin information stealer, adding three new capability tiers operationally relevant to defenders running endpoint detections tuned for older Gremlin samples (Palo Alto Networks Unit 42, 2026-05-15). Obfuscation has shifted to embedding encrypted payloads in .NET resource sections (XOR-keyed) combined with single- or double-character identifier renaming and a runtime string-decoder function (_003CModule_003E.c()) — defeating static signature analysis of string literals that previous-generation Gremlin samples used. A new crypto-clipper component continuously monitors the system clipboard and replaces Bitcoin and Ethereum wallet addresses with attacker-controlled equivalents in real time, T1115. The most operationally interesting addition is a WebSocket-based session-hijack module that reads active browser process memory (Chrome-based browsers) to extract session tokens directly from running processes, bypassing the cookie-encryption mitigations modern browsers apply at disk — T1185 Browser Session Hijacking. Credential scope includes browser cookies, session tokens, saved passwords, payment-card details, FTP and VPN credentials, Discord tokens (dedicated regex scanner), clipboard content, and cryptocurrency wallet files. Exfiltration is HTTPS POST to a private web panel; a Telegram Bot API channel is the secondary channel. Detection: Sysmon EID 10 (process access) targeting chrome.exe or msedge.exe (and other Chrome-based browser processes) from unexpected parent processes; clipboard-monitoring hook registration from non-standard processes (generic Windows clipboard-listener API surface). Hardening: browser isolation for high-value sessions; clipboard-API access audited in EDR telemetry. Single-source — Unit 42 only; flagged for verification.