Remus Infostealer Targets Browsers with Lumma-Style Key Theft
Key Takeaways Remus is a newly identified infostealer, emerging around January-February 2026, and is believed to be a successor or evolution of the highly advanced Lumma Stealer. It targets...
Key Takeaways
- Remus is a newly identified infostealer, emerging around January-February 2026, and is believed to be a successor or evolution of the highly advanced Lumma Stealer.
- It targets Chromium-based browsers to steal passwords, cookies, and cryptocurrency wallets by bypassing Application-Bound Encryption (ABE) through in-memory key decryption.
- Remus features significant upgrades over Lumma, including a 64-bit architecture, enhanced evasion techniques, and the use of EtherHiding for resilient command-and-control (C2) communication via Ethereum blockchain smart contracts.
- The malware incorporates advanced anti-analysis capabilities, detecting virtual machines, sandboxes, and specific honeypot files to avoid detection.
Next-Generation Infostealer: Remus Emerges with Lumma’s Advanced Tactics
A formidable new information stealer, dubbed Remus, has surfaced, inheriting sophisticated techniques from the notorious Lumma Stealer. This advanced malware is designed to exfiltrate sensitive data, including browser passwords, cookies, and cryptocurrency wallet information.
Table Of Content
Remus first appeared in the wild between January and February 2026, following a significant disruption to Lumma Stealer’s operations. A doxxing campaign from late August to October 2025 exposed alleged core members of the Lumma group, severely impacting their activities. Cybersecurity researchers suspect that some of Lumma’s original developers either branched off or re-established their operations under the new Remus moniker, marking an evolution in the threat landscape.
Tracing the Lineage: From Tenzor to Remus
Analysts at Gen Threat Labs were instrumental in identifying Remus, tracing its development back to test builds labeled “Tenzor.” These builds, dated September 16, 2025, served as an intermediary phase between Lumma and the current Remus variant. Researchers Vojtech Krejsa and Jan Rubin have classified Remus as a new 64-bit iteration within the Lumma family, noting that Lumma itself was originally a 32-bit operation.
The striking similarities between Remus and Lumma underscore their shared heritage. Both employ identical string obfuscation methods, integrate anti-virtual machine checks, exhibit nearly identical code structures, and utilize a unique browser encryption bypass mechanism previously exclusive to Lumma Stealer. This high degree of overlap strongly indicates a common origin.
While Lumma campaigns persist globally, Remus is not merely a replacement but rather a substantial upgrade. It modernizes the architecture to 64-bit and incorporates newer evasion techniques. The emergence of Remus signifies an expanding threat from an actor group that has consistently proven difficult to neutralize.
Advanced Browser Key Theft and Evasion
Lumma-Style Browser Key Theft
One of Remus’s most concerning inherited capabilities is its method for compromising browser-protected data. It specifically targets Application-Bound Encryption (ABE), a security layer used by Chromium-based browsers to safeguard sensitive keys stored on disk.
Instead of attempting to extract the key from disk, Remus injects a compact shellcode directly into the active browser process. This shellcode then locates and decrypts the master key from within the browser’s memory. This sophisticated technique was previously only observed in Lumma Stealer.

Remus scans for a particular byte pattern within the browser’s code, identifies the encrypted key in memory, and leverages the browser’s own decryption functions to unlock it. Notably, Remus’s injected shellcode is more compact at 51 bytes compared to Lumma’s 62 bytes, suggesting ongoing optimization.
Should direct injection into an existing browser process fail, Remus deploys an alternative strategy: it launches a hidden browser instance on a separate, user-invisible desktop. Unlike Lumma, which used a static desktop name, Remus generates a unique 16-character random string for each hidden desktop. This dynamic naming convention makes it considerably more challenging for security tools relying on fixed patterns to detect the malware’s activity.
EtherHiding and Anti-Analysis Evasion
Remus introduces a significant advancement in its command-and-control (C2) communication infrastructure. While Lumma previously relied on platforms like Steam and Telegram to host C2 server addresses, Remus now utilizes EtherHiding. This technique embeds the C2 server address within an Ethereum blockchain smart contract, rendering its infrastructure far more resilient to disruption.

The decentralized nature of blockchain data means it cannot be removed by any single platform operator, effectively eliminating a crucial defensive leverage point that worked against Lumma. Remus queries the smart contract via a public endpoint at runtime to retrieve the current server address, ensuring persistent C2 connectivity.
Furthermore, Remus incorporates robust anti-analysis and evasion mechanisms. Before execution, it performs checks to detect analysis tools and sandbox environments. It scans for DLLs associated with known analysis platforms and verifies the presence of a specific honeypot file on disk. If any of these checks are triggered, the malware terminates silently, preventing its behavior from being observed and analyzed. These advanced capabilities position Remus as a stealthier and more sophisticated threat requiring immediate attention from security teams.
What You Should Do
- Implement Multi-Factor Authentication (MFA): Enable MFA on all accounts, especially those accessing sensitive data or cryptocurrency wallets, to mitigate the impact of stolen credentials.
- Keep Browsers and Software Updated: Ensure all web browsers (especially Chromium-based ones) and operating systems are updated to the latest versions to patch known vulnerabilities that infostealers might exploit.
- Deploy Endpoint Detection and Response (EDR): Utilize EDR solutions with behavioral analysis capabilities to detect and block suspicious process injection and in-memory key decryption attempts.
- Educate Users on Phishing and Social Engineering: Infostealers often rely on social engineering tactics and phishing emails to gain initial access. Regular user training can reduce the risk of successful attacks.
- Backup Cryptocurrency Wallet Keys Securely: Store private keys and seed phrases for cryptocurrency wallets offline and in encrypted formats, separate from your primary system.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.