John Hammond Investigates New Gremlin Stealer Malware

In this video, John Hammond explores a new malware variant called Gremlin Stealer, identified by researchers from Palo Alto's Unit 42. This malware, written in the C language, has been actively promoted on cybercrime forums and Telegram groups since March 2025. Gremlin Stealer steals sensitive information such as credit card numbers, browser cookies, cryptocurrency wallet information, and FTP and VPN credentials. The malware is primarily distributed via a Telegram account named Codersharp, which appears to be a user rather than just a channel. Codersharp's Telegram profile indicates that he is a .NET, Python, and C++ developer and accepts orders only via private messages in cryptocurrency. John Hammond attempts to contact Codersharp to learn more about the sale of Gremlin Stealer, but the responses are evasive. Using a cyber threat exposure management platform, John Hammond searches for discussions and announcements related to Gremlin Stealer on various forums and Telegram channels. He discovers that several users, such as Flow013 and Stalknar, have shared similar announcements for Gremlin Stealer. These announcements include screenshots and details about the malware's features, as well as instructions for contacting the sellers via private messages. The technical analysis of Gremlin Stealer reveals that it uses common techniques to steal information, such as extracting browser cookies and collecting sensitive data from the clipboard and file system. The malware then sends this information to a server via a configurable web interface. John Hammond notes that the server used to receive the stolen data appears to be offline at the time of the video. By examining samples of Gremlin Stealer on VirusTotal, John Hammond finds that the malware is widely detected by security solutions. The technical details show that the malware uses techniques to bypass Chrome's cookie protections, although Google has recently implemented measures to make this task more difficult. The malware sends the stolen data as a ZIP archive containing the victim's IP address. John Hammond also explores conversations on Telegram and other forums to understand how threat actors discuss and promote Gremlin Stealer. He discovers that the discussions are primarily in Russian and that the accounts used for promotion seem to be dedicated solely to this task. In conclusion, although Gremlin Stealer is just another info stealer malware, John Hammond's analysis sheds light on the promotion and distribution methods used by cybercriminals. This video provides valuable insights into cybercrime techniques and the tools used to track and analyze these threats.