Over the past few months, a new data-stealing malware called REMUS has surfaced in the cybercrime world, catching the attention of security experts and malware investigators. Multiple technical reports released in recent months have examined the malware’s features, infrastructure, and connections to Lumma Stealer, covering its browser targeting methods, credential theft capabilities, and more.
Yet, considerably less focus has been placed on the criminal operation running behind the malware itself.
A study by Flare researchers examining 128 posts tied to the REMUS criminal network between February 12 and May 8, 2026, offers a unique glimpse into how the group markets, builds, and deploys the malware within underground forums. By reviewing the actor’s promotional posts, update records, feature announcements, operational conversations, and messages to customers, the research traces how the operation progressed over time and what goals shaped its growth.
The results highlight not only the fast advancement of the stealer’s abilities, but also an increasing emphasis on commercialization, operational scalability, session theft, and password-manager targeting. More broadly, the activity provides insight into how modern malware-as-a-service (MaaS) operations are becoming more like organized software companies, with ongoing development cycles, operational improvements, and features built to enhance usability, persistence, and long-term profit.
The underground activity shows an extremely fast and aggressive development cycle, with the operator frequently releasing feature updates, operational improvements, and new data-collection abilities within just a few months.
Instead of promoting a fixed malware version, the posts depict an actively managed MaaS platform changing almost in real time.
-
February 2026 saw the first commercial launch. Initial posts aimed to position REMUS as a dependable and user-friendly stealer, advertising browser credential theft, cookie gathering, Discord token theft, Telegram delivery, and basic log management. The tone was heavily promotional and customer-focused. In one of the earliest posts, the operator stated: “With solid crypting and a dedicated relay server, the callback rate is around 90%.“
Another post promoted the malware as offering “round-the-clock support and functionality “simple enough that even a child can figure it out” underscoring a strong focus on usability and commercialization from the start.
-
March 2026 was the campaign’s busiest development phase. During this time, the operator rolled out restore-token features, expanded log management, worker tracking, statistics dashboards, duplicate-log filtering, and better Telegram delivery processes. Many posts centered not on theft itself, but on operational transparency and campaign oversight. One update added worker nicknames to log tables and statistics screens, while another enhanced loader execution tracking so operators could more easily identify failed infections. The change indicates REMUS was growing into a wider operational platform rather than just a malware file.
-
April 2026 marked a noticeable shift toward session continuity and browser-based authentication data. The operator introduced SOCKS5 proxy support, better token restoration, anti-VM toggles, gaming-platform targeting, and password-manager data collection. One update clearly noted: “Added IndexedDB collection for 1Password and LastPass extensions.“
Another mentioned Bitwarden-related searches. The posts increasingly stressed authenticated sessions, restore processes, and browser-based storage rather than isolated credentials alone.
-
By early May 2026, the operation seemed focused on polishing and operational reliability. The remaining posts in the dataset mentioned restore enhancements, bug fixes, collection fine-tuning, and ongoing adjustments to delivery and management features, indicating the operator was moving from rapid feature growth toward platform stabilization.
REMUS and Its Connection to Lumma
Sign up for the free trial to access if you aren’t already a customer.
Public coverage has mostly centered on REMUS as a technically notable successor or offshoot of Lumma Stealer. Researchers characterized the malware as a 64-bit infostealer sharing numerous similarities with Lumma, including anti-VM checks, browser-focused credential theft, and browser encryption bypass methods.
That technical connection is significant, but the underground data indicates the picture goes well beyond malware ancestry.
The reviewed posts reveal a threat actor vigorously building a commercial cybercrime product around the malware. The operation consistently advertised updates, customer support, performance enhancements, and additional collection features in a manner that closely mirrors legitimate software development practices.
In one early post, the operator claimed the malware could reach roughly “90%” successful delivery rates when combined with proper crypting and a relay server, wording clearly intended to reassure potential buyers about operational dependability.
Infostealers like REMUS no longer just collect passwords, they grab cookies, browser tokens, and authenticated sessions that bypass MFA completely.
Flare tracks millions of stealer logs across dark web markets and Telegram channels around the clock, so you can spot exposed sessions and credentials before attackers exploit them.
Detect your exposure for free.
A Move Toward Session Theft and the Growing Value of Cookies
Sign up for the free trial to access if you aren’t already a customer.
One of the most evident patterns throughout the REMUS campaign is the increasing focus on session theft rather than traditional credential collection alone.
In the past, many infostealers concentrated mainly on usernames and passwords.
REMUS, on the other hand, repeatedly stressed cookie collection, token management, browser sessions, and restore-token workflows as core selling points. This shift mirrors a broader trend in the cybercrime ecosystem where authenticated sessions have become more valuable than raw credentials, since they allow attackers to bypass multi-factor authentication and maintain persistent access without triggering security alerts.
The underground posts frequently referenced “cookies” as a primary data type, and several updates specifically improved how the malware handled session tokens and browser storage. One notable addition was the ability to collect IndexedDB data from password manager extensions, giving attackers access to stored secrets that would otherwise remain protected behind master passwords.
This evolution highlights how modern infostealers are adapting to the security measures organizations have put in place. As companies have strengthened password policies and rolled out MFA, attackers have pivoted toward stealing the very mechanisms, cookies, tokens, and browser sessions, that these defenses rely on.
The REMUS operation’s rapid development pace and commercial focus suggest that this trend will only accelerate, with future updates likely to target even more sophisticated authentication artifacts and session management systems.
From the very beginning of the campaign, the malware treated active browser sessions and authentication tokens as a primary asset.
This mirrors a larger trend across the cybercriminal underground, where hijacked cookies and live authenticated sessions have grown into a prized commodity. Rather than harvesting login details and trying to use them later, attackers now prefer to seize already-active sessions—ones that can sidestep multi-factor authentication challenges, login alerts, device checks, and risk-based security measures.
Numerous REMUS updates highlighted “Restore” enhancements, proxy support, and compatibility with various proxy types during session restoration processes, strongly indicating the operator considered session continuity a key feature.
Several updates also targeted platforms where active sessions hold significant value, such as Discord, Steam, Riot Games, and Telegram-related environments. Paired with cookie harvesting and restore capabilities, the operation seemed designed not merely to steal credentials, but to maintain and exploit authenticated access directly.
Password Managers Emerge as Prime Targets
The most notable evolution in the later stages of the campaign centered on collecting data from password managers. By April 2026, the operator was promoting support for Bitwarden, 1Password, LastPass, and IndexedDB browser storage. Password managers represent concentrated repositories of valuable credentials and authentication data.
The mentions of IndexedDB are particularly noteworthy because modern browser applications and extensions often rely on local storage mechanisms to retain application data and session information.
The posts themselves do not confirm successful vault decryption or direct password-manager compromise.
However, they clearly show that REMUS development was shifting toward gathering browser-side storage linked to password-management ecosystems.
The Operational Sophistication Behind REMUS
The underground activity also illustrates how modern MaaS ecosystems increasingly mirror legitimate software businesses.
Throughout the analyzed posts, the operator consistently released versioned updates, bug fixes, feature expansions, troubleshooting improvements, statistics tracking, and operational visibility refinements.
Several posts also hinted at a multi-operator setup through references to workers, dashboards, management oversight, loader monitoring, and log categorization. This structure aligns with broader MaaS trends where malware developers increasingly divide development, infrastructure, delivery, and monetization into specialized roles.
Final Thoughts
The REMUS campaign provides a clear window into how modern infostealer operations are advancing well beyond basic credential theft.
Over just a few months, the underground activity analyzed by Flare analysts showed a transition from simple malware promotion into the development of a structured MaaS ecosystem focused on operational reliability, session persistence, and scalable data collection.
Perhaps most importantly, the campaign underscored the rising significance of authenticated sessions and browser-side authentication artifacts within the underground economy. The repeated focus on token restoration, proxy-assisted session recovery, and password-manager-related collection reflects a broader shift in cybercrime operations away from merely stealing passwords and toward sustaining direct access to already-authenticated environments.
The findings reinforce an increasingly critical reality: infostealers are rapidly evolving into mature operational platforms that support persistence, automation, and long-term monetization workflows. As these ecosystems continue to professionalize, understanding how threat actors operationalize and commercialize malware may become just as important as analyzing the malware itself.
Learn more by signing up for our free trial.
Sponsored and written by Flare.
