REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
Summary
Hide ▲
Show ▼
REMUS expanded its session-theft and password-manager collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data. The stealer also broadened browser credential theft, cookie collection, and Discord token theft while relying on Telegram delivery and repeated updates to improve operator control. By early May 2026, the operation had shifted toward refinement and stabilization, showing a mature MaaS workflow around a fast-changing infostealer.
Related Happenings
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
REMUS underground ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
How related:
The analyzed posts show a threat actor aggressively building a commercial cybercrime product around the malware.
About this happening:
The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...
REMUS underground ecosystem shift changes threat-actor operations
Threat Actor MetaHow related: The analyzed posts show a threat actor aggressively building a commercial cybercrime product around the malware.
About this happening: The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Timeline
-
15.05.2026 17:02 2 articles · 12d ago
REMUS infostealer browser-session and password-manager collection expansion
Initial DisclosureThe earliest phase centered on making **REMUS** a sellable infostealer with **browser credential theft**, **cookie collection**, and **Discord token theft**. It was also paired with **Telegram delivery** and basic log management, establishing a commercially oriented malware build from the start.
Show sources
- Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution — www.bleepingcomputer.com — 15.05.2026 17:02
- Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution — www.bleepingcomputer.com — 15.05.2026 17:02