On April 7, 2026, Gen Threat Labs, the research arm of Gen Digital, published a detailed technical analysis of Remus, a new 64-bit infostealer attributed to the Lumma Stealer family. Active campaigns involving Remus have been observed since February 2026 — directly following a doxxing campaign between August and October 2025 that exposed the presumed core members of the Lumma organization and significantly disrupted its operations. Remus is not a replacement for Lumma — both families are currently coexisting in the wild — but a deliberate evolution, most likely born from a fork or rebranding operation initiated during the period of maximum operational pressure on the original group.
The attribution case built by Gen Threat Labs rests on six technical indicators establishing codebase continuity. The most distinctive is the Application-Bound Encryption bypass for Chromium browsers: both Lumma and Remus inject a compact shellcode into the browser process to locate the v20_master_key directly in memory and call CryptUnprotectMemory from within the browser’s process context. The difference between the two implementations is eleven bytes — 51 bytes for Remus versus 62 for Lumma. This level of implementation parallelism is not coincidental. Additional shared indicators include near-identical string obfuscation via stack assembly and MBA-reinforced decryption loops, direct syscall dispatch via runtime ntdll hash-to-SSN lookup tables, identical antiVM CPUID checks against five hypervisor signatures in the same order, a shared crypter presence check via NtRaiseHardError, and overlapping control flow obfuscation patterns. The attribution chain is anchored by transitional builds labeled Tenzor, compiled September 16, 2025 — at the peak of the disruption period — which carry both a Steam dead drop resolver matching confirmed Lumma samples and artifacts exclusive to Remus.
The most operationally significant evolution in Remus is the abandonment of Steam and Telegram dead drop resolvers in favor of EtherHiding. At runtime, Remus sends a JSON-RPC eth_call request to a hardcoded Ethereum smart contract address via a public RPC endpoint and extracts the C2 URL from the hex-encoded response. The decentralized and immutable nature of the blockchain makes this infrastructure effectively resistant to traditional takedown procedures. Remus also introduces two additional anti-analysis checks before any C2 connection: sandbox DLL detection via CRC32 hashing of loaded module names against eleven known sandbox DLL hashes, and honeypot PST detection via enumeration of a specific Outlook PST filename. If either check triggers, the binary terminates silently via ExitProcess zero.
For detection: monitor for JSON-RPC eth_call requests toward public Ethereum endpoints originating from workstations — anomalous behavior with a very low false positive rate. Monitor for hidden desktop creation via CreateDesktopW combined with browser process launch. Deploy the Remus-specific detection rules published by SOCPrime covering direct syscall usage, API hashing, and stealth execution artifacts. Any organization that has relied on Steam or Telegram dead drop blocking as a Lumma detection signal should treat that control as deprecated.
Sources
- Gen Digital – Remus: Unmasking the 64-bit variant of the infamous Lumma Stealer : https://www.gendigital.com/blog/insights/research/remus-64bit-variant-of-lumma-stealer
- GBHackers – Remus infostealer debuts with stealthy new credential-theft tactics : https://gbhackers.com/remus-infostealer-debuts/
- CyberPress – Remus infostealer emerges with credential theft and advanced evasion tricks : https://cyberpress.org/remus-infostealer-emerges-fast/
Don’t think, patch! Your feedback is welcome. Email: radiocsirt@gmail.com Website: https://www.radiocsirt.com Weekly Newsletter: https://radiocsirtenglishedition.substack.com/
#RadioCSIRT #CyberSecurity #ThreatIntelligence #CTI #Remus #LummaStealer #Infostealer #EtherHiding #Malware