Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: remus (1 article)Clear

REMUS infostealer profiled - 64-bit Lumma successor with EtherHiding C2 and Chromium ABE bypass

Flare published a deep profile of REMUS, the 64-bit infostealer that emerged in early 2026 after Lumma Stealer's core operators were doxxed in late 2025. Gen Threat Labs links REMUS directly to Lumma's codebase through 'Tenzor' transitional builds from September 2025, identical string obfuscation, anti-VM checks via cpuid leaf 0x40000000, and a refined Application-Bound Encryption bypass for Chromium browsers. The malware harvests browser passwords, cookies, autofill, crypto wallets, and clipboard data, and uses EtherHiding (blockchain-based C2 resolution) for resilience. Flare's 128-post analysis of REMUS forum activity from Feb 12 to May 8 shows the operation has moved from rapid feature expansion into platform stabilization, with active customer-facing MaaS development.

Check
Hunt for processes reading Chromium browser process memory to extract master keys, look for outbound traffic resolving C2 through Ethereum or other blockchain RPC endpoints (EtherHiding), and review browser cookie store access patterns.
Affected
Enterprises with users running Chromium-based browsers (Chrome, Edge, Brave) and saved passwords or session cookies. Crypto-holding individuals and finance, accounting, and developer roles with broad SaaS account access face elevated session-theft risk.
Fix
Roll out Application-Bound Encryption hardening on managed Chromium browsers, enforce conditional access with continuous access evaluation to invalidate stolen sessions, block known REMUS C2 indicators, and replace browser-stored passwords with an enterprise password manager.