Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Remus Stealer

113
Global rank
20 infographic chevron month
Month rank
29 infographic chevron week
Week rank
0
IOCs

Remus Stealer is a sophisticated 64-bit information stealer operating under a Malware-as-a-Service (MaaS) model. Identified as a direct evolution of the infamous Lumma Stealer, Remus specializes in harvesting credentials, cookies, and cryptocurrency wallets while utilizing blockchain technology for command-and-control (C2) resilience.

Stealer
Type
Unknown
Origin
1 February, 2026
First seen
3 July, 2026
Last seen

How to analyze Remus Stealer with ANY.RUN

Type
Unknown
Origin
1 February, 2026
First seen
3 July, 2026
Last seen

IOCs

IP addresses
72.60.121.225
45.141.27.68
185.53.179.128
196.251.107.104
165.227.199.109
94.231.205.229
196.251.107.130
217.156.122.75
188.40.60.27
65.21.104.235
62.72.32.156
168.231.114.49
103.211.219.238
76.13.17.11
31.97.61.212
45.85.147.53
137.184.153.47
89.58.10.69
147.135.84.14
178.104.90.74
Domains
miedorama.com
axoshealthcare.com
midpfv.xyz
1printers.com
angect.xyz
lawofi.xyz
bluyterm.com
driven-wild.com
millersteelusa.com
hatcae.xyz
xstrapper.com
kereta-tinted.com
forestoaker.com
iuta.today
oundhertobeconsist.org
firewai.biz
chalx.live
eth.llamarpc.com
hotstz.xyz
strgsd.xyz
Last Seen at
Last Seen at

Recent blog posts

post image
Release Notes: In-Browser Data Inspection, To...
watchers 5611
comments 0
post image
Closing the Supplier Security Gap: How a US M...
watchers 5115
comments 0
post image
ANY.RUN & Torq Integration: Scale Triage...
watchers 9792
comments 0

From Lumma’s Ashes: Remus Stealer Uses Blockchain to Steal Your Business Data

Key Takeaways

  • Remus Stealer is a rapidly evolving Malware-as-a-Service infostealer that emerged in 2026.
  • It utilizes EtherHiding, storing C2 addresses in Ethereum smart contracts to avoid takedowns.
  • The malware steals credentials, browser cookies, authentication tokens, and cryptocurrency wallet data.
  • Session theft is one of Remus's most dangerous capabilities because it can bypass MFA by stealing active session cookies directly from browser memory.
  • The malware shows strong technical similarities to Lumma Stealer and may represent its evolutionary successor.
  • Financial services, healthcare, government, technology firms, and MSPs are particularly attractive targets.
  • Common infection vectors include phishing, fake software downloads, malvertising, and fake CAPTCHA campaigns, as well as SEO poisoning and fake GitHub projects to trick tech-savvy users.
  • ANY.RUN's Threat Intelligence Feeds and Threat Intelligence Lookup help defenders proactively identify Remus-related infrastructure, hunt for indicators of compromise, and strengthen detection coverage before attacks escalate.

Pivot from Remus IOCs to sandbox analysis sessions to observe full attack chains and TTPs:

destinationIP:"160.119.69.4".

Malicious IP detected as Remus IOC Malicious IP detected as Remus Stealer

What is Remus Stealer?

Remus Stealer represents the ongoing professionalization of infostealer operations. It is a native 64-bit malware that builds on Lumma's codebase, incorporating advanced evasion techniques while shifting to new infrastructure methods. Key features include browser-focused data theft (especially Chromium-based), session hijacking capabilities that can bypass MFA by stealing active cookies and tokens, and targeting of password managers (e.g., via IndexedDB for 1Password, LastPass, Bitwarden).

It uses custom string obfuscation, direct syscalls, reflective code loading/shellcode injection into browser processes, and blockchain-based C2 resolution via EtherHiding (storing C2 details in Ethereum smart contracts). This makes it resilient and harder to disrupt compared to traditional dead-drop resolvers (e.g., Steam/Telegram used in Lumma). Remus operates in a mature MaaS model with rapid updates, customer support, statistics dashboards, and features emphasizing operational scalability and log management.

ANY.RUN Interactive Sandbox lets analysts investigate Remus Stealer behavior in real time:

View sample detonation

Remus detonated in Interactive Sandbox Remus Stealer detonated in Interactive Sandbox

How Remus Stealer Threatens Businesses and Organizations

Remus poses severe risks by enabling credential theft, session hijacking, and data exfiltration that can lead to:

  • Unauthorized access to corporate accounts, VPNs, cloud services, and internal systems.
  • Financial fraud via stolen crypto wallets or banking credentials.
  • Supply chain and lateral movement opportunities, as stolen sessions/tokens allow attackers to pivot deeper into networks.
  • Data breaches exposing customer information, intellectual property, or compliance-regulated data.
  • Reputational and regulatory damage, including fines from GDPR, CCPA, or similar.

Stolen browser sessions and tokens are particularly dangerous as they often bypass traditional MFA, allowing persistent access without immediate alerts. In corporate environments, this can result in prolonged dwell time for attackers.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Victimology: Who Is Most Vulnerable?

Any organization relying on Chromium-based browsers (Chrome, Edge) is vulnerable; however, specific sectors are prime targets:

  • Technology & DevOps: Attackers are actively impersonating open-source tools (Ghidra, dnSpy) to deliver Remus to developers.

  • Finance & Fintech: High-value targets for cryptocurrency wallet theft and banking credential harvesting.

  • Gaming & E-commerce: Targeted for Discord token theft and payment data

Small-to-medium businesses and those with hybrid/remote workforces relying on personal devices or unpatched software are prime targets due to lower security maturity.

Evolution of Remus Stealer

Remus traces back to Lumma Stealer disruptions in late 2025 (doxxing of alleged developers). Transitional "Tenzor" test builds appeared around September 2025, evolving into active Remus campaigns by February 2026. It shifted from Lumma's 32-bit architecture and traditional resolvers to 64-bit with EtherHiding and enhanced anti-analysis (e.g., sandbox DLL checks, PST honeypot detection).

Development under the MaaS model has been rapid: early focus on core theft and delivery reliability, followed by session restoration, proxy support, password manager targeting, and operational tools (worker tracking, duplicate filtering) through March–May 2026.

Notable aspects include campaigns delivering via software search redirection (malvertising for popular tools), with activity rivaling Lumma's. Specific large-scale attacks are often opportunistic via MaaS buyers, but the malware's volume and integration into broader cybercrime ecosystems (initial access brokers) amplify its impact.

Notable Campaign (2026): A massive Traffic Distribution System (TDS) campaign has been identified where fake websites rank high on Google Search for software terms, redirecting users to Remus payloads. The malware is delivered via obfuscated Go loaders that check for virtual machine environments before executing

How Remus Stealer Gets Into Systems and Spreads

Common infection vectors mirror other stealers:

  • Malvertising and search redirection: Fake download pages for software (e.g., converters, utilities) via compromised ads or SEO.
  • Phishing emails with malicious attachments or links.
  • Pirated/cracked software, keygens, and third-party downloaders.
  • Drive-by downloads on compromised sites.
  • Social engineering and fake updates.

It often uses loaders for initial delivery, with good "crypting" (obfuscation) for high callback rates.

How Remus Stealer Function: Sandbox Analysis

View ANY.RUN Sandbox analysis of a Remus Stealer sample

Remus detonated in Interactive Sandbox Remus Stealer detonated in Interactive Sandbox

Remus is a 64-bit infostealer that represents an evolution of Lumma, rather than an entirely new malware family. Since February 2026 campaigns, it has been associated with SEO-poisoning/fake websites mimicking popular open-source tools. It retrieves C2 addresses via EtherHiding instead of conventional resolver chains.

The sample’s functionality after execution depends on the availability of the C2 servers. If they are reachable, the malware typically does the following: it accesses browser data, steals saved passwords, cookies, and cryptocurrency wallets. In some cases, it bypasses Chrome’s Application-Bound Encryption (ABE) through injection into the browser process or a hidden browser desktop. It also performs anti-VM and anti-sandbox checks. If the C2 servers are unavailable, the malware does not reveal itself in any way (except for network connection attempts).

After launch, we can see that the sample generates a large number of network requests and immediately triggers detections related to data theft:

Remus Stealer data exfiltration attempts Remus Stealer data exfiltration attempts

Switching to the Network threats tab, we see traffic characteristic of this malware:

Remus activity in network traffic Remus activity in network traffic

Directly inside the traffic, we can observe all the communication and the name of the C2 domain in this case (the malware has a large number of C2 domains and changes them frequently; samples that are one or two months old usually no longer work due to lack of connection to the server):

Remus network traffic analysis Remus network traffic analysis

Similar data is visible in the HTTP Requests tab:

Remus HTTP requests Remus HTTP requests

Inside the traffic itself, communication with the C2 is visible — for example, the initial submission and receiving success:true as a response:

Remus C2 request & response Remus C2 request & response

Next, we see the malware sending some technical information to the server:

Remus exfiltrating technical data Remus exfiltrating technical data

hwid represents the victim’s Hardware ID, tag is the identifier of the campaign, build, or bot, exp is a Unix Timestamp.

Then we see the sending of a token:

Remus sends a token Remus sends a token

Response: Server response Server response

And the transmission of already encrypted data:

Exfiltration of encrypted data Exfiltration of encrypted data

This type of interaction is observed throughout the entire communication: sending tokens → receiving tokens → sending data.

It is also evident that after registering on the C2 server, the sample transmitted service parameters debug and step, presumably used to track the stages of execution and the state of the malicious process. The values included 2-PRE, 2-EMPTY, step=1, and others, which may indicate the passage of internal data processing stages or preparation for exfiltration.

Additionally, by diving into the data theft detections, we can see which directories and files the stealer attempted to access:

Remus reaching system and app directories for data exfiltration Remus reaching system and app directories for data exfiltration

Remus reaching system and app directories for data exfiltration Remus reaching system and app directories for data exfiltration

Remus reaching system and app directories for data exfiltration Remus reaching system and app directories for data exfiltration

How Businesses Can Use ANY.RUN’s Threat Intelligence Feeds and TI Lookup Against Remus Stealer

Threat intelligence can help organizations move from reactive detection to proactive defense.

Threat Intelligence Feeds

Security teams can integrate ANY.RUN Threat Intelligence Feeds into SIEM, EDR, SOAR, XDR, and TIP platforms to automatically detect:

  • Remus-related domains
  • Command-and-control infrastructure
  • Malicious IP addresses
  • Malware hashes
  • Emerging indicators associated with active campaigns

TI Feeds benefits and integration TI Feeds benefits and integration

Because infostealer infrastructure changes rapidly, continuously updated feeds help security teams identify threats before compromise occurs.

ANY.RUN Threat Intelligence Lookup enables analysts and threat hunters to:

  • Search Remus-related IOCs
  • Investigate malware infrastructure
  • Correlate domains, IPs, and hashes
  • Discover emerging indicators linked to active campaigns
  • Conduct retrospective investigations

This accelerates threat hunting and incident response while improving visibility into evolving malware activity.

threatName:"remus".

Remus sandbox analyses in TI Lookup Remus sandbox analyses in TI Lookup

Additional defensive measures:

  • User education on phishing/malvertising; avoid pirated software.
  • Endpoint detection with behavioral monitoring for injection/syscalls.
  • Browser hardening (e.g., limit extensions, use password managers carefully).
  • MFA with phishing-resistant methods; regular credential rotation.
  • Network segmentation, least privilege, and monitoring for anomalous C2 (Ethereum traffic).
  • Patch management and application allowlisting

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Remus Stealer is not just another infostealer; it is a paradigm shift in malware resilience. By weaponizing blockchain for C2 communication and operating a professional MaaS model, it has solved the problem of infrastructure takedown that plagued previous stealers. For defenders, this means shifting from reactive signature-based detection to behavioral analysis—watching for the action of memory injection and browser manipulation rather than the hash of the file.

Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.

HAVE A LOOK AT

Oblivion RAT screenshot
Oblivion RAT
oblivion
Oblivion RAT is a sophisticated Android Remote Access Trojan (RAT) offered as Malware-as-a-Service (MaaS) on cybercrime forums for as little as $300 per month. It equips even novice attackers with a complete toolkit, including a web-based APK builder, dropper generator mimicking Google Play updates, and a real-time C2 panel. The RAT enables full device takeover, data theft, and financial fraud through deceptive social engineering and Accessibility Service abuse.
Read More
TrustConnect screenshot
TrustConnect
trustconnect
TrustConnect is a MaaS platform that disguises a Remote Access Trojan (RAT) as a legitimate Remote Monitoring and Management (RMM) tool. The operators built an AI-generated business website, obtained a fraudulently acquired Extended Validation (EV) code-signing certificate, and created fake customer statistics and documentation to make TrustConnect appear to the world — and to security tools — as a legitimate software company.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
DragonForce screenshot
DragonForce
dragonforce
DragonForce is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model. First reported in December 2023, it encrypts files with ChaCha8, renames them with random strings, and appends “.dragonforce_encrypted.” By disabling backups, wiping recovery, and spreading across SMB shares, DragonForce maximizes damage and pressures victims into multimillion-dollar ransom negotiations. It has targeted manufacturing, construction, IT, healthcare, and retail sectors worldwide, making it a severe threat to modern enterprises.
Read More
NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More