New Gremlin Infostealer Distributed on Telegram

Posted on by

The ever-expanding world of information stealers (infostealers) has spawned its newest variant, Gremlin Stealer.

In a report published on April 29, researchers at Palo Alto Networks’ Unit 42 shared a technical analysis of this new infostealer strain.

Gremlin Stealer has been advertised by its makers since mid-March 2025, primarily on a Telegram channel named CoderSharp.

While it appears to still be under active development, the description of this new infostealer asserts that its current version can already steal data from a wide range of software on a Windows computer, such as browsers, the computer’s clipboard and the local disk.

Read now: Surge in Infostealer Attacks Threatens EMEA Organizations’ Data Security

Gremlin Stealer’s Features and Data Collection Processes

Gremlin Stealer is an infostealer written in C#. It exfiltrates data from its victims and uploads this information to its web server for publication.

The Unit 42 report noted that Gremlin can bypass Chrome cookie V20 protection and that its build process does not download anything from the internet.

The infostealer can collect a wide range of data, including:

  • Clipboard data on the local device
  • Screenshots from the local device
  • Local device metadata (e.g. BSID, HVID, RAM, CPU, GPU and IP address)
  • Credit card details, browser cookies, passwords and forms from an extensive list of Chromium- and Gecko-based browsers
  • Crypto wallet information
  • File Transfer Protocol (FTP) service data
  • Virtual private network (VPN) credentials
  • Steam data (e.g. token and session data)
  • Discord tokens
  • Telegram session data

Once Gremlin has collected the data, it creates a folder under LOCAL_APP_DATA to store it in plain text files. These texts are gathered into a ZIP archive, which is sent to its server through the URL hxxp[:]//207.244.199[.]46/index.php. It then sends this data using a Telegram bot and uploads the stolen data to the server using a hard-coded Telegram API key.

The group behind Gremlin Stealer malware claims to have uploaded large amounts of stolen data from victims’ machines to a server at 207.244.199[.]46, a configurable portal part of the malware sale package.

The Gremlin Stealer website currently hosts 14 ZIP archives containing stolen data, allowing users to delete or download the archives.