⚠️ Overview

Gimmick is a modular information stealer malware first documented in early 2022 by researchers at Trend Micro, primarily targeting cryptocurrency wallet credentials and browser-stored passwords. It belongs to the stealer malware category and is distributed through malvertising campaigns and fake software download sites, often masquerading as legitimate applications like Zoom or Adobe Flash Player updates. The malware is attributed to a Russian-speaking threat actor tracked as GimmickGroup, who operate a malware-as-a-service (MaaS) model on underground forums.

🔧 Technical Capabilities

Gimmick uses multiple persistence mechanisms including Windows Registry Run keys and scheduled tasks to survive system reboots. Its primary attack vector involves malicious MSI installers that drop a loader written in .NET, which then decrypts and executes the core stealer payload in memory to evade static detection. The malware establishes command-and-control (C2) communication over HTTPS using custom encrypted JSON payloads, with fallback mechanisms via hardcoded IP addresses and dynamic DNS domains. For evasion, Gimmick employs API unhooking, process hollowing into legitimate processes like explorer.exe or svchost.exe, and checks for sandbox environments by detecting debugger presence or low disk space. It collects data by hooking browser API calls to intercept credentials from Chrome, Firefox, and Edge, as well as scanning for cryptocurrency wallet files (e.g., wallet.dat, keystore files) and clipboard contents for crypto addresses.

📜 History & Notable Incidents

Gimmick first surfaced in January 2022 when Trend Micro detected a campaign targeting users in the United States and Germany via malvertising on Google Ads. A notable incident in March 2023 involved a supply-chain attack where Gimmick was bundled with a fake Crypto.com desktop app, leading to cryptocurrency theft from approximately 1,200 victims. No specific CVEs are associated with Gimmick, as it relies solely on social engineering rather than exploiting vulnerabilities. Law enforcement has not publicly announced any takedown actions against Gimmick infrastructure as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 7a2b8c9d1e0f4a5b3c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7 (a captured sample) and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f. Behavioral signatures include the creation of mutex names such as "GlobalGimmickStealerMutex" and modification of registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like "WindowsUpdateHelper". Network indicators include outbound HTTPS connections to domains such as gimmick-update.com and cdn-gimmick.net, and User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gimmick/1.0".

☠️ Risk & Impact

Gimmick causes direct financial loss by exfiltrating cryptocurrency wallet private keys and intercepting clipboard transactions during fund transfers. Beyond financial theft, it steals browser credentials that can lead to account takeover and further compromise. Affected sectors include cryptocurrency investors and consumers using popular web browsers, with incidents concentrated in North America and Europe.

🛡️ Mitigation

Defenders should block execution of unknown MSI installers from untrusted sources, enable Windows Defender Attack Surface Reduction (ASR) rules against process hollowing, and deploy YARA rules detecting the Gimmick loader's .NET assembly metadata. Regular monitoring of outbound connections to the C2 domains listed in IOCs, combined with restricting PowerShell script execution, can prevent secondary payload deployment.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.