Webinar
February 26
Better SOC with Interactive Sandbox
Practical Use Cases
0
From Lumma’s Ashes: Remus Stealer Uses Blockchain to Steal Your Business Data
Key Takeaways
- Remus Stealer is a rapidly evolving Malware-as-a-Service infostealer that emerged in 2026.
- It utilizes EtherHiding, storing C2 addresses in Ethereum smart contracts to avoid takedowns.
- The malware steals credentials, browser cookies, authentication tokens, and cryptocurrency wallet data.
- Session theft is one of Remus's most dangerous capabilities because it can bypass MFA by stealing active session cookies directly from browser memory.
- The malware shows strong technical similarities to Lumma Stealer and may represent its evolutionary successor.
- Financial services, healthcare, government, technology firms, and MSPs are particularly attractive targets.
- Common infection vectors include phishing, fake software downloads, malvertising, and fake CAPTCHA campaigns, as well as SEO poisoning and fake GitHub projects to trick tech-savvy users.
- ANY.RUN's Threat Intelligence Feeds and Threat Intelligence Lookup help defenders proactively identify Remus-related infrastructure, hunt for indicators of compromise, and strengthen detection coverage before attacks escalate.
Pivot from Remus IOCs to sandbox analysis sessions to observe full attack chains and TTPs:
Malicious IP detected as Remus Stealer
What is Remus Stealer?
Remus Stealer represents the ongoing professionalization of infostealer operations. It is a native 64-bit malware that builds on Lumma's codebase, incorporating advanced evasion techniques while shifting to new infrastructure methods. Key features include browser-focused data theft (especially Chromium-based), session hijacking capabilities that can bypass MFA by stealing active cookies and tokens, and targeting of password managers (e.g., via IndexedDB for 1Password, LastPass, Bitwarden).
It uses custom string obfuscation, direct syscalls, reflective code loading/shellcode injection into browser processes, and blockchain-based C2 resolution via EtherHiding (storing C2 details in Ethereum smart contracts). This makes it resilient and harder to disrupt compared to traditional dead-drop resolvers (e.g., Steam/Telegram used in Lumma). Remus operates in a mature MaaS model with rapid updates, customer support, statistics dashboards, and features emphasizing operational scalability and log management.
ANY.RUN Interactive Sandbox lets analysts investigate Remus Stealer behavior in real time:
Remus Stealer detonated in Interactive Sandbox
How Remus Stealer Threatens Businesses and Organizations
Remus poses severe risks by enabling credential theft, session hijacking, and data exfiltration that can lead to:
- Unauthorized access to corporate accounts, VPNs, cloud services, and internal systems.
- Financial fraud via stolen crypto wallets or banking credentials.
- Supply chain and lateral movement opportunities, as stolen sessions/tokens allow attackers to pivot deeper into networks.
- Data breaches exposing customer information, intellectual property, or compliance-regulated data.
- Reputational and regulatory damage, including fines from GDPR, CCPA, or similar.
Stolen browser sessions and tokens are particularly dangerous as they often bypass traditional MFA, allowing persistent access without immediate alerts. In corporate environments, this can result in prolonged dwell time for attackers.
Victimology: Who Is Most Vulnerable?
Any organization relying on Chromium-based browsers (Chrome, Edge) is vulnerable; however, specific sectors are prime targets:
Technology & DevOps: Attackers are actively impersonating open-source tools (Ghidra, dnSpy) to deliver Remus to developers.
Finance & Fintech: High-value targets for cryptocurrency wallet theft and banking credential harvesting.
Gaming & E-commerce: Targeted for Discord token theft and payment data
Small-to-medium businesses and those with hybrid/remote workforces relying on personal devices or unpatched software are prime targets due to lower security maturity.
Evolution of Remus Stealer
Remus traces back to Lumma Stealer disruptions in late 2025 (doxxing of alleged developers). Transitional "Tenzor" test builds appeared around September 2025, evolving into active Remus campaigns by February 2026. It shifted from Lumma's 32-bit architecture and traditional resolvers to 64-bit with EtherHiding and enhanced anti-analysis (e.g., sandbox DLL checks, PST honeypot detection).
Development under the MaaS model has been rapid: early focus on core theft and delivery reliability, followed by session restoration, proxy support, password manager targeting, and operational tools (worker tracking, duplicate filtering) through March–May 2026.
Notable aspects include campaigns delivering via software search redirection (malvertising for popular tools), with activity rivaling Lumma's. Specific large-scale attacks are often opportunistic via MaaS buyers, but the malware's volume and integration into broader cybercrime ecosystems (initial access brokers) amplify its impact.
Notable Campaign (2026): A massive Traffic Distribution System (TDS) campaign has been identified where fake websites rank high on Google Search for software terms, redirecting users to Remus payloads. The malware is delivered via obfuscated Go loaders that check for virtual machine environments before executing
How Remus Stealer Gets Into Systems and Spreads
Common infection vectors mirror other stealers:
- Malvertising and search redirection: Fake download pages for software (e.g., converters, utilities) via compromised ads or SEO.
- Phishing emails with malicious attachments or links.
- Pirated/cracked software, keygens, and third-party downloaders.
- Drive-by downloads on compromised sites.
- Social engineering and fake updates.
It often uses loaders for initial delivery, with good "crypting" (obfuscation) for high callback rates.
How Remus Stealer Function: Sandbox Analysis
View ANY.RUN Sandbox analysis of a Remus Stealer sample
Remus Stealer detonated in Interactive Sandbox
Remus is a 64-bit infostealer that represents an evolution of Lumma, rather than an entirely new malware family. Since February 2026 campaigns, it has been associated with SEO-poisoning/fake websites mimicking popular open-source tools. It retrieves C2 addresses via EtherHiding instead of conventional resolver chains.
The sample’s functionality after execution depends on the availability of the C2 servers. If they are reachable, the malware typically does the following: it accesses browser data, steals saved passwords, cookies, and cryptocurrency wallets. In some cases, it bypasses Chrome’s Application-Bound Encryption (ABE) through injection into the browser process or a hidden browser desktop. It also performs anti-VM and anti-sandbox checks. If the C2 servers are unavailable, the malware does not reveal itself in any way (except for network connection attempts).
After launch, we can see that the sample generates a large number of network requests and immediately triggers detections related to data theft:
Remus Stealer data exfiltration attempts
Switching to the Network threats tab, we see traffic characteristic of this malware:
Remus activity in network traffic
Directly inside the traffic, we can observe all the communication and the name of the C2 domain in this case (the malware has a large number of C2 domains and changes them frequently; samples that are one or two months old usually no longer work due to lack of connection to the server):
Remus network traffic analysis
Similar data is visible in the HTTP Requests tab:
Remus HTTP requests
Inside the traffic itself, communication with the C2 is visible — for example, the initial submission and receiving success:true as a response:
Remus C2 request & response
Next, we see the malware sending some technical information to the server:
Remus exfiltrating technical data
hwid represents the victim’s Hardware ID, tag is the identifier of the campaign, build, or bot, exp is a Unix Timestamp.
Then we see the sending of a token:
Remus sends a token
Response:
Server response
And the transmission of already encrypted data:
Exfiltration of encrypted data
This type of interaction is observed throughout the entire communication: sending tokens → receiving tokens → sending data.
It is also evident that after registering on the C2 server, the sample transmitted service parameters debug and step, presumably used to track the stages of execution and the state of the malicious process. The values included 2-PRE, 2-EMPTY, step=1, and others, which may indicate the passage of internal data processing stages or preparation for exfiltration.
Additionally, by diving into the data theft detections, we can see which directories and files the stealer attempted to access:
Remus reaching system and app directories for data exfiltration
Remus reaching system and app directories for data exfiltration
Remus reaching system and app directories for data exfiltration
How Businesses Can Use ANY.RUN’s Threat Intelligence Feeds and TI Lookup Against Remus Stealer
Threat intelligence can help organizations move from reactive detection to proactive defense.
Threat Intelligence Feeds
Security teams can integrate ANY.RUN Threat Intelligence Feeds into SIEM, EDR, SOAR, XDR, and TIP platforms to automatically detect:
- Remus-related domains
- Command-and-control infrastructure
- Malicious IP addresses
- Malware hashes
- Emerging indicators associated with active campaigns
TI Feeds benefits and integration
Because infostealer infrastructure changes rapidly, continuously updated feeds help security teams identify threats before compromise occurs.
ANY.RUN Threat Intelligence Lookup enables analysts and threat hunters to:
- Search Remus-related IOCs
- Investigate malware infrastructure
- Correlate domains, IPs, and hashes
- Discover emerging indicators linked to active campaigns
- Conduct retrospective investigations
This accelerates threat hunting and incident response while improving visibility into evolving malware activity.
Remus sandbox analyses in TI Lookup
Additional defensive measures:
- User education on phishing/malvertising; avoid pirated software.
- Endpoint detection with behavioral monitoring for injection/syscalls.
- Browser hardening (e.g., limit extensions, use password managers carefully).
- MFA with phishing-resistant methods; regular credential rotation.
- Network segmentation, least privilege, and monitoring for anomalous C2 (Ethereum traffic).
- Patch management and application allowlisting
Conclusion
Remus Stealer is not just another infostealer; it is a paradigm shift in malware resilience. By weaponizing blockchain for C2 communication and operating a professional MaaS model, it has solved the problem of infrastructure takedown that plagued previous stealers. For defenders, this means shifting from reactive signature-based detection to behavioral analysis—watching for the action of memory injection and browser manipulation rather than the hash of the file.
Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.
