Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux and Ubiquiti Flaws, Accenture Breach, Android Exploit
July 12, 2026
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Home/Threats/Remus Infostealer Targets Browsers with Lumma-Style Key Theft
Threats

Remus Infostealer Targets Browsers with Lumma-Style Key Theft

Key Takeaways Remus is a newly identified infostealer, emerging around January-February 2026, and is believed to be a successor or evolution of the highly advanced Lumma Stealer. It targets...

Emy Elsamnoudy
Emy Elsamnoudy
May 6, 2026 4 Min Read
49 0

Key Takeaways

  • Remus is a newly identified infostealer, emerging around January-February 2026, and is believed to be a successor or evolution of the highly advanced Lumma Stealer.
  • It targets Chromium-based browsers to steal passwords, cookies, and cryptocurrency wallets by bypassing Application-Bound Encryption (ABE) through in-memory key decryption.
  • Remus features significant upgrades over Lumma, including a 64-bit architecture, enhanced evasion techniques, and the use of EtherHiding for resilient command-and-control (C2) communication via Ethereum blockchain smart contracts.
  • The malware incorporates advanced anti-analysis capabilities, detecting virtual machines, sandboxes, and specific honeypot files to avoid detection.

Next-Generation Infostealer: Remus Emerges with Lumma’s Advanced Tactics

A formidable new information stealer, dubbed Remus, has surfaced, inheriting sophisticated techniques from the notorious Lumma Stealer. This advanced malware is designed to exfiltrate sensitive data, including browser passwords, cookies, and cryptocurrency wallet information.

Table Of Content

  • Key Takeaways
  • Next-Generation Infostealer: Remus Emerges with Lumma’s Advanced Tactics
  • Tracing the Lineage: From Tenzor to Remus
  • Advanced Browser Key Theft and Evasion
  • Lumma-Style Browser Key Theft
  • EtherHiding and Anti-Analysis Evasion
  • What You Should Do

Remus first appeared in the wild between January and February 2026, following a significant disruption to Lumma Stealer’s operations. A doxxing campaign from late August to October 2025 exposed alleged core members of the Lumma group, severely impacting their activities. Cybersecurity researchers suspect that some of Lumma’s original developers either branched off or re-established their operations under the new Remus moniker, marking an evolution in the threat landscape.

Tracing the Lineage: From Tenzor to Remus

Analysts at Gen Threat Labs were instrumental in identifying Remus, tracing its development back to test builds labeled “Tenzor.” These builds, dated September 16, 2025, served as an intermediary phase between Lumma and the current Remus variant. Researchers Vojtech Krejsa and Jan Rubin have classified Remus as a new 64-bit iteration within the Lumma family, noting that Lumma itself was originally a 32-bit operation.

The striking similarities between Remus and Lumma underscore their shared heritage. Both employ identical string obfuscation methods, integrate anti-virtual machine checks, exhibit nearly identical code structures, and utilize a unique browser encryption bypass mechanism previously exclusive to Lumma Stealer. This high degree of overlap strongly indicates a common origin.

While Lumma campaigns persist globally, Remus is not merely a replacement but rather a substantial upgrade. It modernizes the architecture to 64-bit and incorporates newer evasion techniques. The emergence of Remus signifies an expanding threat from an actor group that has consistently proven difficult to neutralize.

Advanced Browser Key Theft and Evasion

Lumma-Style Browser Key Theft

One of Remus’s most concerning inherited capabilities is its method for compromising browser-protected data. It specifically targets Application-Bound Encryption (ABE), a security layer used by Chromium-based browsers to safeguard sensitive keys stored on disk.

Instead of attempting to extract the key from disk, Remus injects a compact shellcode directly into the active browser process. This shellcode then locates and decrypts the master key from within the browser’s memory. This sophisticated technique was previously only observed in Lumma Stealer.

Remus decrypting the hex pattern used in the ABE bypass (Source - GenDigital)
Remus decrypting the hex pattern used in the ABE bypass (Source – GenDigital)

Remus scans for a particular byte pattern within the browser’s code, identifies the encrypted key in memory, and leverages the browser’s own decryption functions to unlock it. Notably, Remus’s injected shellcode is more compact at 51 bytes compared to Lumma’s 62 bytes, suggesting ongoing optimization.

Should direct injection into an existing browser process fail, Remus deploys an alternative strategy: it launches a hidden browser instance on a separate, user-invisible desktop. Unlike Lumma, which used a static desktop name, Remus generates a unique 16-character random string for each hidden desktop. This dynamic naming convention makes it considerably more challenging for security tools relying on fixed patterns to detect the malware’s activity.

EtherHiding and Anti-Analysis Evasion

Remus introduces a significant advancement in its command-and-control (C2) communication infrastructure. While Lumma previously relied on platforms like Steam and Telegram to host C2 server addresses, Remus now utilizes EtherHiding. This technique embeds the C2 server address within an Ethereum blockchain smart contract, rendering its infrastructure far more resilient to disruption.

Remus resolving a C2 using EtherHiding (Source – GenDigital)

The decentralized nature of blockchain data means it cannot be removed by any single platform operator, effectively eliminating a crucial defensive leverage point that worked against Lumma. Remus queries the smart contract via a public endpoint at runtime to retrieve the current server address, ensuring persistent C2 connectivity.

Furthermore, Remus incorporates robust anti-analysis and evasion mechanisms. Before execution, it performs checks to detect analysis tools and sandbox environments. It scans for DLLs associated with known analysis platforms and verifies the presence of a specific honeypot file on disk. If any of these checks are triggered, the malware terminates silently, preventing its behavior from being observed and analyzed. These advanced capabilities position Remus as a stealthier and more sophisticated threat requiring immediate attention from security teams.

What You Should Do

  • Implement Multi-Factor Authentication (MFA): Enable MFA on all accounts, especially those accessing sensitive data or cryptocurrency wallets, to mitigate the impact of stolen credentials.
  • Keep Browsers and Software Updated: Ensure all web browsers (especially Chromium-based ones) and operating systems are updated to the latest versions to patch known vulnerabilities that infostealers might exploit.
  • Deploy Endpoint Detection and Response (EDR): Utilize EDR solutions with behavioral analysis capabilities to detect and block suspicious process injection and in-memory key decryption attempts.
  • Educate Users on Phishing and Social Engineering: Infostealers often rely on social engineering tactics and phishing emails to gain initial access. Regular user training can reduce the risk of successful attacks.
  • Backup Cryptocurrency Wallet Keys Securely: Store private keys and seed phrases for cryptocurrency wallets offline and in encrypted formats, separate from your primary system.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical Ivanti EPMM Zero-Auth Flaw Exposes DoD Data

Next Post

Iranian Hackers Target Oman Ministries with Webshells and Data Theft

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us