REMUS underground ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
The REMUS underground operation is turning REMUS into a continuously updated MaaS product, increasing operational scalability and monetization risk across underground buyers. From February 12 to May 8, 2026, the operator pushed feature updates, support, and management tooling instead of a static malware build. The shift matters because it makes the malware easier to run, maintain, and sell.
Related Happenings
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
How related:
In recent months, a new infostealer malware known as REMUS has emerged across the cybercrime landscape, drawing attention from security researchers and malware analysts.
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityHow related: In recent months, a new infostealer malware known as REMUS has emerged across the cybercrime landscape, drawing attention from security researchers and malware analysts.
About this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
CrystalRAT Telegram-promoted malware-as-a-service
Malware Activity
First: 02.04.2026 02:17
Last: 02.04.2026 02:17
Sources 1
About this happening:
The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...
CrystalRAT Telegram-promoted malware-as-a-service
Malware ActivityAbout this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Timeline
-
15.05.2026 17:02 2 articles · 12d ago
REMUS underground ecosystem shift changes threat-actor operations
Initial DisclosureIn **February 2026**, the operation began a promotional push for **REMUS**, advertising browser credential theft, cookie collection, Discord token theft, and **24/7 support**. Early messaging focused on ease of use and delivery reliability, including a claim of roughly **~90% callback rate** with proper crypting and an intermediary server.
Show sources
- Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution — www.bleepingcomputer.com — 15.05.2026 17:02
- Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution — www.bleepingcomputer.com — 15.05.2026 17:02