Flare published a deep profile of REMUS, the 64-bit infostealer that emerged in early 2026 after Lumma Stealer's core operators were doxxed in late 2025. Gen Threat Labs links REMUS directly to Lumma's codebase through 'Tenzor' transitional builds from September 2025, identical string obfuscation, anti-VM checks via cpuid leaf 0x40000000, and a refined Application-Bound Encryption bypass for Chromium browsers. The malware harvests browser passwords, cookies, autofill, crypto wallets, and clipboard data, and uses EtherHiding (blockchain-based C2 resolution) for resilience. Flare's 128-post analysis of REMUS forum activity from Feb 12 to May 8 shows the operation has moved from rapid feature expansion into platform stabilization, with active customer-facing MaaS development.
Group-IB and Flare disclosed PamDOORa, a new Linux backdoor for sale on the Russian-speaking Rehub cybercrime forum at $900 (down from $1,600). PamDOORa hijacks the Linux Pluggable Authentication Module (PAM) framework that handles SSH logins - so it intercepts every legitimate user's password as they authenticate, before any application-level logging fires. The backdoor injects a malicious pam_linux.so module into the authentication stack rather than replacing files. It also tampers with lastlog, btmp, utmp, and wtmp to erase attacker login traces - meaning incident response teams who SSH in to investigate will have their own credentials silently stolen. Group-IB notes the abuse method is not yet in MITRE ATT&CK.