Full Report
Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability. [...]
Analysis Summary
# Tool/Technique: REMUS Infostealer
## Overview
REMUS is a modern Malware-as-a-Service (MaaS) info-stealing Trojan that mimics the structure of professional software businesses. It focuses on the rapid extraction of sensitive data with a heavy emphasis on session theft (cookies/tokens) to bypass Multi-Factor Authentication (MFA). It exhibits significant technical similarities to Lumma Stealer, operating as a 64-bit evolution in the infostealer ecosystem.
## Technical Details
- **Type:** Malware Family (Infostealer / MaaS)
- **Platform:** Windows
- **Capabilities:** Credential harvesting, session/cookie theft, password manager extraction, Discord token theft, and automated log management.
- **First Seen:** February 2026 (Active commercial push)
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1539 - Steal Web Session Cookie
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- **TA0009 - Collection**
- T1560 - Archive Collected Data
- **TA0011 - Command and Control**
- T1071.001 - Web Protocols (C2 via intermediary servers)
- T1105 - Ingress Tool Transfer (Telegram delivery workflows)
- **TA0005 - Defense Evasion**
- T1497.001 - System Checks (Anti-VM toggles)
## Functionality
### Core Capabilities
- **Browser Targeting:** Steals credentials, cookies, and autocomplete data from major browsers.
- **Session Continuity:** Prioritizes session theft (authentication tokens) over static passwords to maintain access to accounts.
- **Discord & Crypto:** Automated theft of Discord tokens and cryptocurrency wallet information.
- **Infrastructure Management:** Features a dedicated C2 "intermediary server" system claiming a 90% callback rate.
### Advanced Features
- **Password Manager Targeting:** Specifically extracts `IndexedDB` data from browser extensions including **1Password**, **LastPass**, and **Bitwarden**.
- **Restore-Token Functionality:** Automates the restoration of stolen sessions for the attacker.
- **Operational Scalability:** Includes worker tracking, "nicknames" for logs, statistics dashboards, and duplicate-log filtering for high-volume campaigns.
- **Evasion & Connectivity:** Built-in SOCKS5 proxy support and Anti-VM checks to bypass sandboxes.
## Indicators of Compromise
- **File Hashes:** *(Specific hashes not provided in article; typically distributed as 64-bit executables)*
- **File Names:** References to "loaders" and crypted payloads.
- **Network Indicators:**
- Communications via Telegram API for log delivery.
- C2 infrastructure using SOCKS5 proxies.
- [hxxp]://app[.]flare[.]io (Used for monitoring/analysis).
- **Behavioral Indicators:**
- Rapid file system access to browser profile folders (specifically `Local Storage` and `IndexedDB`).
- Periodic outbound connections to specialized intermediary servers.
## Associated Threat Actors
- **MaaS Operators:** The specific group remains anonymous but operates as a professional software provider within underground forums (e.g., WWH-Club).
## Detection Methods
- **Behavioral Detection:** Monitor for unauthorized processes accessing browser `IndexedDB` files or `Login Data` databases in `%AppData%`.
- **Network Detection:** Detect unusual SOCKS5 traffic from endpoint devices and monitoring for known Telegram Bot API communication patterns used for exfiltration.
- **Endpoint Security:** Look for the execution of unsigned 64-bit binaries that perform VM-awareness checks (CPUID, registry checks).
## Mitigation Strategies
- **Token Management:** Implement shorter session timeouts and IP-bound session cookies.
- **Browser Hardening:** Discourage or block the use of browser-based password managers in favor of standalone enterprise-grade solutions.
- **Application Whitelisting:** Use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unidentified loaders.
- **MFA:** Shift toward hardware-based MFA (FIDO2) as session/cookie theft can bypass traditional SMS/TOTP MFA.
## Related Tools/Techniques
- **Lumma Stealer:** REMUS shares significant code overlaps and targeting mechanisms with Lumma.
- **Medusa/Stealc:** Similar MaaS-style info-stealers focusing on ease of use.
- **Session Hijacking:** The primary technique utilized to bypass MFA.