CTI Roundup: Infostealers, Zero-Day Attacks, and Gremlin Stealer

Up first in this week’s roundup is a look at infostealers, and how they are contributing to credential trading and ransomware attacks. Next up, the Tanium CTI team explores the latest zero-day exploitation data from Google. Finally, the team wraps up with an overview of a new infostealer called Gremlin Stealer.

Infostealers threaten corporate security

KELA has released a report summarizing its research into infostealer malware, how it drives credential trading, and how it enables ransomware attacks.

Among the key findings, the marketplace for corporate credentials now represents a sizable piece of the threat landscape and cybercrime ecosystem. Corporate credentials have become a high-value commodity for threat actors as they can enable further attacks.

While credentials can be stolen via various methods, infostealer malware remains an incredibly popular mechanism. This is because they can steal credentials at scale and are often easily available for purchase, making it accessible to actors of varying skill levels.

How compromised credential attacks have evolved

KELA notes a growing sophistication and commercialization in credential theft.

While cybercrime forums have traditionally been the primary method for purchasing compromised credentials, new channels are emerging. One example is automated markets, which let buyers query databases containing stolen credentials.

Subscription models are also being increasingly used to distribute infostealers and compromised credentials. Threat actors now offer subscriptions to compromised credential services, giving subscribers access to stolen credentials.

What type of employees do threat actors target most?

KELA performed additional research on its collection of infected machines and compromised credentials to identify the most at-risk individuals. Project management was discovered to be the top-impacted department, followed by consulting and software development. The most heavily targeted countries of these employees were Brazil, followed by India, the United States, and Spain.

KELA also looked at the most targeted sector and found that technology topped the list, accounting for 14% of cases. This was followed by IT services, IT consulting, and manufacturing.

How do ransomware groups use valid accounts?

Ransomware groups commonly use valid accounts or stolen credentials as an initial access method for their attacks. KELA looked at the victims of Play, Akira, and Rhysida ransomware groups and compared those victims against their own data lake of compromised accounts. This enabled them to see which victims had their accounts compromised via infostealer malware.

KELA was specifically looking for accounts related to VPN, RMM, and Active Directory, as these are the most sought-after. They identified several ransomware victims who had their compromised credentials shared between five and 95 days before the attack was claimed.

[Read also: What is Active Directory security? Risks and best practices]

While it is not confirmed that these credentials were used in the attack, KELA mentions that it does “represent a significant threat to organizations as they can be abused by threat actors to gain access to an organization which they then use to conduct their attacks, like ransomware attacks.”

Analyst comments from Tanium’s Cyber Threat Intelligence team

KELA’s research highlights the dangers of infostealer malware and how they fuel the rest of the threat landscape.

Of note, the report highlights which employees are most often targeted for credential theft. While project management was the top-targeted role overall, software development was the most targeted role, specifically in the technology sector.

This doesn’t imply that other positions are entirely safe from this threat. However, it does raise the possibility that actors are more targeted in their credential theft efforts.

Google observes 75 zero-day exploits in 2024

Google’s Threat Intelligence Group tracked 75 zero-day vulnerabilities that were exploited in 2024.

This is lower than the 98 vulnerabilities which Google tracked in 2023, yet slightly higher than what Google found in 2022.

Google also found that the number of zero-days that impacted enterprise technologies was slightly higher last year at 44%, compared to just 37% in 2023.

Targeting end-user platforms and products

56% of the zero days from last year targeted end-user platforms and products. The vulnerabilities in this category include those used to exploit browsers, mobile devices, and desktop operating systems.

Zero-day attacks against browsers and mobile devices decreased significantly. However, the number of zero-day attacks targeting operating systems increased, with Windows being the most targeted.

Google also notes that exploit chains that combined several zero-day vulnerabilities were most often used to target mobile devices.

The role of vulnerable enterprise technologies

33 zero-days were exploited in enterprise products in 2024, primarily those used by businesses or in business environments.

Of the enterprise-focused technology vulnerabilities, 20 targeted security and network products. In general, Google has seen an increase in the number of enterprise vendors being targeted over the past several years, identifying 18 unique enterprise vendors targeted by zero-days last year.

Exploitation by vendor

Microsoft and Google were the top two vendors impacted by zero-days in 2024. Ivanti jumped up to the third spot, while Apple fell to fourth.

What threat actors are responsible for zero-day exploits?

Google found that multiple threat groups contributed to zero-day exploitation last year.

The largest group was state-sponsored espionage actors, which accounted for 29.4% of attacks. Within this group, actors associated with the People’s Republic of China (PRC) were the top contributors.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Zero-days remain a key focus for threat actors. While the overall number of zero-days dropped slightly compared to the previous year, the trends have shifted.

Google’s analysis provides helpful insights into these changing patterns. One of the biggest takeaways from Google’s report is that there is an increased interest in the exploitation of enterprise-focused technology, with zero-day vulnerabilities increasing by 7% from 2023 to 2024. As Google notes, this is “primarily fueled by the increased exploitation of security and networking software and appliances.”

[Read also: How to identify, contain, and remediate zero-day risks and get back to your day job in 30 minutes]

Gremlin Stealer appears in underground forum

Palo Alto identified a new infostealer malware called Gremlin Stealer, which is now being distributed in a Telegram channel called CoderSharp.

Gremlin Stealer can steal a range of data, including cookies, passwords, cryptocurrencies, computer info, files, screenshots, and more.

What happens to the stolen data?

The actor responsible for Gremlin Stealer recently claimed to have uploaded a large amount of stolen data to its server.

Palo Alto believes this server is a configurable portal that comes with malware. Gremlin Stealer’s site displays 14 files, each supposedly an archive of data stolen from a victim.

How does Gremlin Stealer work?

Palo Alto has been closely monitoring this malware since March 2025 and has gathered a list of its primary functions:

• Bypassing cookie v20: Gremlin Stealer can bypass Chrome’s cookie v20 protection using a common technique many infostealers use. According to Palo Alto, Google has made some changes to prevent this capability.
• Scanning browsers: Gremlin Stealer checks for cookies and saved passwords from Chrome-based and Gecko-based browsers and writes the data to a file for exfiltration.
• Checking crypto wallets: Like many infostealers, Gremlin Stealer checks for different cryptocurrency wallets on devices and steals relevant files.
• Stealing FTP/VPN credentials: The malware will attempt to steal FTP usernames and passwords using a credential-stealing function. It also targets VPN credentials.
• Gathering session data: The malware will try to gather data and session information from Telegram and Discord. This is less common with infostealers.
• Obtaining system information: Like many other malware families, it gathers information about the infected system, including username, clipboard data, hardware ID, etc.
• Credit card theft: Gremlin Stealer can also steal credit card information.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Gremlin Stealer has not been around for very long. However, it comes equipped with a lengthy list of features.

While it’s yet to be determined if Gremlin Stealer will take off like other popular infostealers, the infostealer malware is red hot right now, making this threat worth keeping an eye on.

For more technical insights, Palo Alto shares snippets of the Gremlin Stealer code for each of its various functions.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.