Remus
REMUS is a 64-bit information-stealing malware family assessed as an evolutionary branch of Lumma Stealer rather than a full replacement. Researchers linked it to transitional test builds labeled Tenzor dated September 16, 2025, and observed first campaigns around January-February 2026, after disruption and doxxing affecting alleged Lumma operators. Multiple reports describe strong code and tradecraft overlap with Lumma, including nearly identical string obfuscation, anti-VM checks, direct syscall handling, indirect control-flow obfuscation, and a distinctive Chromium Application-Bound Encryption bypass that injects short shellcode into a live browser process to recover and decrypt the browser master key from memory. If injection fails, REMUS can launch a hidden browser on a separate desktop using a randomized 16-character desktop name.
Its core capability set is credential and session theft. High-confidence reporting states REMUS steals stored browser passwords, cookies, authentication tokens, Discord tokens, cryptocurrency wallets, clipboard data, screenshots, and browser-related artifacts. It expanded over time to target session persistence and long-term authenticated access, including restore-token abuse, SockS5 proxy integration, IndexedDB extraction, and collection mechanisms associated with password managers such as 1Password, LastPass, and Bitwarden-related artifacts. Reporting explicitly notes that observed activity does not independently confirm vault decryption or direct compromise of password-manager databases. REMUS also repeatedly targeted platforms including Discord, Steam, Riot Games, and Telegram, supporting monetization through account resale, fraud, social engineering, and persistent access abuse.
Underground reporting from February to May 2026 indicates REMUS rapidly evolved from a basic credential stealer into a malware-as-a-service platform with subscription-style commercialization, affiliate-oriented operations, Telegram-based delivery, log management, duplicate-log filtering, worker tracking, statistics dashboards, restore workflows, and advertised 24/7 support. Researchers reviewed 128 underground posts during that period and assessed the operation as reflecting broader industrialization of the infostealer ecosystem.
REMUS uses dead-drop resolver techniques for command-and-control discovery. Unlike Lumma’s Steam and Telegram resolvers, REMUS has been reported using EtherHiding, embedding or retrieving C2 information via Ethereum smart contracts queried through public JSON-RPC endpoints. Infrastructure analysis tied parts of the campaign to multiple Ethereum contracts, rotating C2 values, and domains heavily concentrated on .biz gTLDs. Reported infrastructure included domains hosted across more than 15 ASNs, with notable concentration at Hostinger International Limited and Team Internet AG, and repeated association with IP address 185.53.179.128. Public reporting identified C2-related domains including fightwa[.]biz:5902 and chalx[.]live:5902 from contract history, and one campaign-specific endpoint http://baxe[.]pics:48261 used by a REMUS plugin delivered via SmokeLoader.
REMUS includes anti-analysis features. Reported checks include anti-virtualization logic shared with Lumma, detection of analysis-related DLLs such as snxhk.dll, sbiedll.dll, cmdvrt32.dll, and cmdvrt64.dll, and checks for a honeypot Outlook PST file named honey@pot.com.pst. Some samples reportedly exit silently when such checks trigger.
Observed delivery includes use as a final payload behind GoFlateLoader, which has distributed REMUS alongside Amatera, Lumma, Vidar, StealC, and SvitStealer, including via cracked software and malicious traffic-distribution chains. REMUS was also observed as a SmokeLoader plugin in a March 2026 ClickFix campaign using a fake "I Am Not a Robot" lure, an MSI installer, and a Go-based loader. In that case, the plugin was a 64-bit PE32+ sample compiled on February 21, 2026, contained markers such as "# REMUS LOG" and "PROXYPROXYPROXY," used ChaCha20-encrypted configuration, and was configured with campaign ID e7d306351b2ed15ad158949881380114 and key d16425ab2d021ae273d5fae993ce52a5aa61f379ade7bc27efd39d9bb3f46a55.
High-confidence indicators directly mentioned in the content include the string markers "# REMUS LOG" and "# TENZOR LOG"; Ethereum contract addresses 0x999941b74F6bbc921D5174A5b29911562cd2D7CF and 0xf6896c4ddd2b821d5d2b3c18459acd9b5ec1ce21; operator wallet 0xBeCFC3F9EB36E6Ec0E54f7A6627DA7EF648f8F01; domains fightwa[.]biz:5902, chalx[.]live:5902, baxe[.]pics:48261, sdigi[.]net, and vinte[.]online; IP addresses 185.53.179.128, 15.235.192.42, and 193.169.194[.]5; MSI SHA256 8af75100ed69758e4da91255e0fae90f4ac40db2d1cfe52b9ea90c637ea30a82; Go loader SHA256 b93484fd64dee8ad3b45ddddcb58e54efaf751f33a12c8807f8d0765e8237337; and REMUS plugin SHA256 77a2c2761bd439548177a36b6a10d8979c0e41d2cf3c1c98329307cbe5251ab6.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
OLE32.dll functions (CoCreateInstance, CoInitialize, CoSetProxyBlanket) indicate WMI-based system profiling through COM interfaces.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
7 techniques
Stealth
The two share the same string obfuscation method, anti-virtual machine checks, nearly identical code structure...
One of the first things both do upon execution is that they enumerate all Nt-prefixed exports from ntdll.dll and build a lookup table mapping their name hashes to the corresponding Syscall Service Numbers (SSNs).
Rather than reading the key off disk, Remus injects a small shellcode into the live browser process to locate and decrypt the master key from inside the browser’s own memory.
Furthermore, both Remus and Lumma also employ SYSTEM token impersonation as an alternative method to bypass ABE.
SockS5 proxy integration, antivirtualization controls, gaming-platform targeting, as well as deeper password harvesting were all added to the malware.
The first check targets sandbox and analysis tool DLLs. Remus walks the PEB's InLoadOrderModuleList, hashes the name of every loaded module... corresponding to a module commonly injected by analysis environments... If no sandbox DLLs are detected, Remus proceeds by expanding the path %UserProfile%\Documents\Outlook Files, enumerating all *.pst files... and checking for the presence of honey@pot.com.pst.
Credential Access
4 techniques
Credential Access
This initial effort focused on harvesting saved credentials... but later expanded into hijacking sessions... REMUS consistently promoted browser cookies, authentication tokens, workflows to restore sessions, and proxy-assisted continuity mechanisms as central operational features.
This initial effort focused on harvesting saved credentials and collecting browser information... A number of early campaigns in February created a perception of REMUS as a trustworthy, accessible, and reliable stealer that specialized in stealing browser credentials...
Initially focused on browser credential theft and basic log management
This objective was further reinforced by repeated targeting of Discord, Steam, Riot Games, and Telegram environments... As of April 2026, the operator has implemented collection capabilities associated with Bitwarden, 1Password, LastPass, and IndexedDB-based browser storage mechanisms commonly used to retain locally authenticated data...
Discovery
6 techniques
Discovery
KERNEL32.dll provides GetComputerNameA and GetComputerNameExA for machine identification.
It scans for DLLs linked to known analysis platforms and checks for a specific honeypot file on disk.
April marked another strategic transition in REMUS's evolution, this time toward authentication-based session persistence and browser-side artifact collection... It also included IndexedDB extractions linked to browser extensions associated with the 1Password and LastPass browser extensions...
SockS5 proxy integration, antivirtualization controls, gaming-platform targeting, as well as deeper password harvesting were all added to the malware.
The first check targets sandbox and analysis tool DLLs. Remus walks the PEB's InLoadOrderModuleList, hashes the name of every loaded module... corresponding to a module commonly injected by analysis environments... If no sandbox DLLs are detected, Remus proceeds by expanding the path %UserProfile%\Documents\Outlook Files, enumerating all *.pst files... and checking for the presence of honey@pot.com.pst.
Collection
3 techniques
Collection
A type of advanced remote access Trojan called an infostealer operates silently within infected systems, gathering cookies, authentication tokens, stored passwords, fingerprints, and other telemetry from the infected system before packaging the information into standardized 'stealer logs' for exfiltration.
Command and Control
9 techniques
Command and Control
Started as a single Ethereum contract which expanded into a cluster of 5 contracts, multiple operator wallets... The development started with the basic DomainStorage with no validation moved to the hardened DataStore variants.
I was able to retrieve the live C2 domain... deploying on ports 61611 & 61617, along with 2 additional live C2 domains.
The plugin communicates with baxe[.]pics on port 48261 over unencrypted HTTP... The C2 expects file uploads via POST requests, returning structured JSON responses that indicate a Node.js/Express backend.
SockS5 proxy integration... was added to the malware... There were repeated references throughout the campaign to 'Restore' capabilities, multi-proxy compatibility, and token recovery workflows...
Dead drop resolver is a technique where malware retrieves its actual C2 from a public legitimate platform instead of hardcoding it. Basically, instead of connecting directly to evilc2.com, the malware first visits something like a public GitHub repo, Telegram, Steam profile or a Google Doc. That content contains an encoded or hidden IP/domain which points to the real C2 address. | As mentioned in the report by GenDigital, the stealer (in some cases) is using the EtherHiding technique to resolve the C2 domains replacing the previous use of Telegram and Steam profiles.
Both Remus and Lumma employ dead drop resolvers, a mechanism in which the malware does not contact its C2 server directly but instead retrieves the C2 address at runtime from an intermediary hosted on a legitimate platform.
Remus introduces a key upgrade in how it contacts its command-and-control servers... Remus replaces this with EtherHiding, embedding the server address inside an Ethereum blockchain smart contract... Remus queries the smart contract at runtime over a public endpoint and pulls the current server address.
IOCs tracked for this family
135 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An information stealer observed as a final payload delivered by GoFlateLoader.
REMUS is an infostealer that evolved into a malware-as-a-service platform focused on long-term access theft and session persistence. It harvests saved credentials, browser information, cookies, authentication tokens, Discord tokens, and browser-side password manager artifacts; supports restore-token workflows, Telegram log delivery, proxy-assisted continuity, anti-virtualization, and targeting of gaming and messaging platforms.
REMUS is an infostealer that evolved into a malware-as-a-service platform. It initially focused on browser credential theft and basic log management, then expanded to session theft, password manager targeting, restore-token functionality, improved Telegram delivery, and enhanced operational visibility for scalable criminal operations.
An information stealer that targets browser passwords, cookies, and cryptocurrency wallets. It is described as a 64-bit evolution/variant of Lumma, with anti-VM and anti-analysis checks, browser Application-Bound Encryption bypass via shellcode injection into live browser processes, fallback hidden-browser execution, and EtherHiding-based C2 resolution through an Ethereum smart contract.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.