A new 64-bit information-stealing malware family called Remus is raising the bar for credential theft and stealth. Researchers describe Remus as a direct evolution of Lumma Stealer, emerging after alleged Lumma core members were publicly doxxed in mid-to-late 2025. Instead of disappearing, the ecosystem appears to have regrouped and rebuilt.
Early test builds reportedly appeared under the name “Tenzor” around September 2025, acting as a bridge between older Lumma code and today’s Remus campaigns. By February 2026, Remus began circulating in active attacks, positioned as an upgrade rather than a replacement—meaning both Lumma and Remus can exist in parallel across the threat landscape.
What makes Remus especially dangerous is not just what it steals—passwords, cookies, and crypto wallets—but how it steals them. It includes techniques specifically designed to bypass modern browser protections that were introduced to reduce credential dumping and key extraction.
Why Remus Matters: The Stealer Threat Is Evolving Fast
Info-stealers have become one of the most impactful “gateway” threats in modern cybercrime because they can:
- Capture stored passwords and autofill data
- Steal session cookies to bypass MFA via session hijacking
- Extract cryptocurrency wallet data and related credentials
- Enable downstream attacks like business email compromise, ransomware staging, and cloud takeovers
Remus fits this pattern—but with more advanced tradecraft, including a method for bypassing Application-Bound Encryption protections in Chromium-based browsers and a resilient command-and-control design using blockchain infrastructure.
Core Capability: Bypassing Application‑Bound Encryption in Chromium Browsers
Modern Chromium-based browsers introduced protections to make credential theft harder by binding key material and decryption processes to the browser context.
Remus reportedly bypasses this protection using a technique that stands out for its precision:
- It injects a custom, lightweight 51-byte shellcode into the memory space of a browser process
- That shellcode searches memory for a protected master key referred to as v20_master_key
- Once found, the malware can use that key material to decrypt and extract stored secrets
Why this is significant:
- Many stealers rely on “standard” extraction methods and external tooling
- Remus uses a minimal in-memory approach designed to reduce footprints and increase reliability
- It targets the critical moment when key material exists in memory during runtime
Key takeaway: Remus is designed to defeat browser defenses by operating inside the browser process where protected material becomes accessible during execution.
Beyond Passwords: Session Cookies and Crypto Wallet Theft
Remus is positioned as a full-spectrum infostealer with multiple theft objectives:
Session cookie theft (high impact)
Session cookies can allow attackers to:
- Hijack authenticated sessions
- Access email and cloud portals without needing the password again
- Bypass MFA in scenarios where the session is already trusted
Cryptocurrency wallet targeting
Remus also targets crypto assets, which commonly includes:
- Wallet extensions and local wallet artifacts
- Potentially seed phrases or wallet files (depending on the environment)
- Stored credentials used for exchanges and crypto services
Key takeaway: Cookie theft is often more immediately valuable than passwords, and crypto theft provides direct monetization without the friction of enterprise compromise.
Major Architecture Upgrade: EtherHiding for Command-and-Control
One of the biggest shifts in Remus is its adoption of EtherHiding for command-and-control (C2) resolution.
Earlier stealer families often used “dead drop” resolvers:
- Social profiles
- Public posts
- Messaging channels
Remus reportedly replaces that with blockchain-based resolution:
- The malware contains a hardcoded Ethereum smart contract address
- It queries the contract to retrieve a hex-encoded response
- That response contains the active server URL used for C2
Why this is strategically powerful:
- Blockchain records are decentralized and difficult to remove
- Traditional takedown requests have limited effect
- Infrastructure becomes harder to disrupt through normal domain/hosting interventions
Key takeaway: Remus reduces defender leverage by moving C2 discovery into a decentralized system designed to be resilient to takedowns.
Anti-Analysis and Evasion: Built to Die Quietly
Remus also includes aggressive anti-analysis behavior designed to avoid sandboxes and researcher environments.
During startup, it reportedly performs checks such as:
- Scanning for known sandbox and analysis-related DLLs (including those linked to some security products)
- Inspecting document directories for “honeypot” files that indicate a controlled environment
- If any trigger is detected, Remus terminates itself immediately and silently
Why this matters:
- Many automated analysis pipelines rely on predictable environments
- Early self-termination reduces visibility and sample enrichment
- It slows detection engineering and IOC extraction
Key takeaway: Remus is engineered to minimize learnable behavior in lab environments, which increases time-to-detection in the real world.
What Defenders Should Watch For (Practical Guidance)
Even advanced stealers leave patterns. Security teams can reduce risk by focusing on:
Endpoint controls
- Block or restrict process injection behaviors and suspicious memory modifications
- Monitor for unusual child processes spawned by browsers
- Detect unexpected access to browser credential stores and cookie databases
Identity and session hardening
- Enforce conditional access policies that evaluate session risk continuously
- Use token protection where possible
- Reduce session lifetimes for high-risk apps and admin portals
Browser hygiene at scale
- Limit password storage in browsers for corporate environments
- Use managed password managers with stronger controls
- Disable unnecessary extensions and restrict extension installs via enterprise policy
Crypto security hygiene (where relevant)
- Isolate wallet activity to dedicated devices where possible
- Avoid storing sensitive wallet data on general-purpose endpoints
- Monitor for unauthorized wallet extension installs or suspicious wallet file access
Indicators of Compromise (Defanged)
Note: Indicators are intentionally defanged (e.g., “[.]”) to prevent accidental resolution. Re-fang only in controlled threat intel systems such as MISP, VirusTotal, or SIEM platforms.
C2 Infrastructure (IP / Port)
- 217[.]156[.]122[.]12:80
- 217[.]156[.]122[.]57:80
- 217[.]156[.]122[.]75:1378
- 45[.]151[.]106[.]110:80
Operational tip: Add these to controlled blocklists and hunting queries, but avoid pasting refanged values into open tools or browsers.
Common Misconceptions to Avoid
“Browsers are safe now because of encryption.”
Encryption helps—but attackers can still target keys during runtime, especially via process injection and memory access.
“MFA stops credential theft.”
MFA is critical, but cookie/session theft can bypass MFA by reusing authenticated sessions.
“Stealers are just consumer threats.”
Stealers frequently become the first stage in enterprise intrusion chains, enabling cloud compromise, lateral movement, and ransomware access.
FAQs
What is Remus malware?
Remus is a 64-bit information-stealing malware designed to steal browser credentials, session cookies, and cryptocurrency wallet data.
How does Remus bypass Application-Bound Encryption?
It injects small shellcode into the browser process memory to locate protected key material and enable decryption of stored secrets.
Why is EtherHiding important?
It uses blockchain-based smart contracts to resolve C2 infrastructure, making takedowns harder and infrastructure more resilient.
What’s the biggest risk to organizations?
Session cookie theft can enable account takeover even with MFA, and credential theft can provide entry into cloud apps and internal systems.
What should defenders do first?
Harden endpoints against injection, restrict browser password storage, tighten session controls, and monitor for suspicious browser process activity.
Conclusion
Remus reflects the next stage of infostealer evolution: stronger browser bypass techniques, more resilient infrastructure, and aggressive anti-analysis behavior.
Its ability to undermine Application-Bound Encryption and hide C2 discovery using blockchain-based methods makes it particularly challenging for defenders relying on traditional disruption strategies.
Key takeaway: Treat info-stealers as high-priority threats. They are no longer “password grabbers”—they’re often the starting point for larger compromises, including cloud takeover and financial theft.
