REMUS Infostealer Evolves Into Session-Stealing MaaS Platform

A new infostealer operation called REMUS has rapidly evolved from a basic credential harvester into a sophisticated malware-as-a-service platform with features designed to defeat modern authentication defenses. Flare researchers analyzed 128 posts linked to the REMUS underground operation between February and May 2026, documenting its transformation into what may be the most significant infostealer threat since Lumma Stealer's core developers were publicly doxxed last year.

Gen Digital researchers confirmed that REMUS was developed directly from Lumma Stealer's base code. The timing isn't coincidental—REMUS began circulating in early 2026, closely following the public exposure of Lumma's developers between August and October 2025. Where Lumma's operations became compromised, REMUS operators saw opportunity.

From Credentials to Sessions

The most significant shift in REMUS's capabilities reflects a broader change in the infostealer ecosystem: stolen browser sessions and authentication tokens have become more valuable than passwords alone. When attackers capture an active session, they inherit the victim's logged-in state, bypassing multi-factor authentication, device verification, and other controls that would otherwise block credential-only attacks.

REMUS actively targets session data from Discord, Steam, Riot Games, and Telegram. It also collects IndexedDB contents from browser extensions—a technique that captures auth tokens stored by web applications. Password manager targeting includes 1Password, LastPass, and Bitwarden.

The malware includes SOCKS5 proxy support specifically for session restoration, allowing attackers to replay stolen sessions through the victim's apparent network location. Combined with cookie collection and authentication artifact preservation, this creates turnkey account takeover capabilities.

MaaS Business Model

Unlike simple malware builders, REMUS operates as an actively maintained service platform. The underground posts Flare analyzed reveal:

• 24/7 customer support with emphasis on usability
• Versioned updates and continuous development cycles
• Worker management systems with nickname tracking for affiliates
• Statistics dashboards for campaign monitoring
• Log management including duplicate filtering
• Restore-token functionality for session persistence
• Loader execution visibility for infection tracking

February 2026 marked the initial commercial push, with operators emphasizing reliability ("~90% callback rate"). March focused on operational refinement including worker tracking and statistics. By April, session continuity and password manager collection became priorities. May brought stabilization and bug fixes.

EtherHiding: Blockchain-Based C2

REMUS abandons traditional command-and-control infrastructure in favor of EtherHiding, a technique that stores C2 addresses inside Ethereum smart contracts. When the malware needs to phone home, it queries a blockchain contract rather than a hardcoded domain or IP.

This makes REMUS infrastructure effectively immune to traditional takedowns and sinkholing. Security teams can't seize a blockchain contract the way they'd take down a malicious domain. Even if researchers identify the contract address, they can't modify or remove it. The UNC5342 campaign we covered earlier demonstrated similar blockchain abuse, but REMUS represents broader criminal adoption of the technique.

Technical Capabilities

REMUS's documented feature set includes:

Data Collection:

• Browser credential theft and cookie collection
• Session and token capture from major platforms
• Password manager database extraction
• IndexedDB collection from extensions
• Gaming platform credential theft

Operational Features:

• Anti-VM detection to evade analysis
• Configurable collection targets
• Chunked exfiltration to avoid detection
• Affiliate/worker management
• Statistics and logging infrastructure

Why This Matters

The shift from credential theft to session theft represents a fundamental change in how infostealers operate. Passwords alone are increasingly worthless against modern authentication systems. Sessions bypass these controls entirely.

REMUS's commercialization also lowers barriers for less technical criminals. The MaaS model means anyone willing to pay can access enterprise-grade stealing capabilities without understanding the underlying technology. Combined with blockchain-based infrastructure that resists takedowns, this creates a more resilient criminal ecosystem.

Organizations should treat session tokens as high-value secrets requiring the same protection as credentials. Implementing device-bound session credentials, as Chrome's DBSC feature aims to do, may help. Monitoring for anomalous session usage patterns—logins from unexpected locations, simultaneous sessions from different networks—can catch stolen session abuse. For teams unfamiliar with infostealer operations, our malware overview guide covers the broader threat landscape.

Security teams should also track the post-Lumma infostealer landscape. REMUS isn't the only operation filling the gap—expect continued evolution as competing operators build on Lumma's foundation while trying to avoid its mistakes.