CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

REMUS infostealer MaaS operation evolves toward session theft and password-manager targeting

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A malware-as-a-service (MaaS) operation distributing the REMUS infostealer has rapidly evolved since February 2026, transitioning from basic credential theft to a structured platform emphasizing session persistence, password-manager targeting, and operational scalability. The operation demonstrates commercialization practices typical of legitimate software businesses, including versioned updates, customer support, operational dashboards, and delivery reliability claims (~90% callback rate). The infostealer now integrates SOCKS5 proxy support, token restoration workflows, anti-VM evasion, and targeted collection from Discord, Steam, Riot Games, Telegram, and browser-based password managers (Bitwarden, 1Password, LastPass) via IndexedDB and extension storage. This shift reflects a broader underground trend prioritizing authenticated sessions and browser-side authentication artifacts to bypass MFA and maintain long-term access.

Timeline

  1. 15.05.2026 17:02 1 articles · 1h ago

    REMUS infostealer MaaS operation matures with session theft and password-manager targeting

    Analysis of 128 underground posts between February 12 and May 8, 2026, reveals REMUS evolved from basic credential theft to a structured MaaS platform with session persistence features, proxy support, and password-manager targeting. Key developments include SOCKS5 proxy integration, token restoration workflows, anti-VM toggles, targeted collection from gaming platforms (Discord, Steam, Riot Games, Telegram), and browser-based password managers (Bitwarden, 1Password, LastPass) via IndexedDB and extension storage. Operational refinements include worker tracking, statistics dashboards, duplicate-log filtering, and delivery reliability claims (~90% callback rate) with 24/7 customer support.

    Show sources
    Open in new tab

Information Snippets

  • REMUS infostealer is distributed as a MaaS platform with continuous development cycles, operational dashboards, and customer-facing communications documented between February 12 and May 8, 2026.

    First reported: 15.05.2026 17:02
    1 source, 1 article
    Show sources

  • Early campaign messaging (February 2026) emphasized usability with claims of "24/7 support" and malware described as "simple enough that even a child can figure it out," alongside promotional focus on browser credentials, cookies, Discord tokens, and Telegram delivery.

    First reported: 15.05.2026 17:02
    1 source, 1 article
    Show sources

  • By March 2026, REMUS introduced operational features including restore-token functionality, worker tracking, duplicate-log filtering, statistics pages, and improved loader execution visibility for campaign management.

    First reported: 15.05.2026 17:02
    1 source, 1 article
    Show sources

  • April 2026 updates prioritized session continuity with SOCKS5 proxy support, anti-VM toggles, gaming-platform targeting (Steam, Riot Games, Discord), and password-manager-related collection targeting Bitwarden, 1Password, LastPass via browser storage mechanisms (IndexedDB).

    First reported: 15.05.2026 17:02
    1 source, 1 article
    Show sources

  • The operator advertised approximately 90% successful delivery rates when paired with proper crypting and intermediary server infrastructure, indicating focus on operational reliability and monetization potential.

    First reported: 15.05.2026 17:02
    1 source, 1 article
    Show sources