The cybersecurity landscape is once again under pressure as researchers uncover a powerful new threat known as Remus, a highly advanced 64-bit information-stealing malware. Security experts at Gen Digital identified this emerging malware, revealing that it originates directly from the core codebase of the infamous Lumma Stealer.
Notably, Remus began spreading in early 2026, shortly after the public exposure of Lumma’s primary developers between August and October 2025. This timing strongly suggests a deliberate evolution, as threat actors appear to have refined and relaunched their operations with enhanced capabilities.
Remus actively targets sensitive user data. Specifically, it steals stored browser passwords, session cookies, and cryptocurrency wallet information. At the same time, it operates alongside ongoing Lumma campaigns, positioning itself as a next-generation upgrade. By combining established credential theft techniques with newly developed evasion strategies, Remus significantly raises the bar for modern malware threats.
To better understand its origin, analysts investigated an intermediate test version called “Tenzor,” which developers created in September 2025. This version served as a crucial bridge, confirming that Remus shares the same architectural foundation as Lumma. One particularly strong connection lies in their unique method of bypassing Application-Bound Encryption (ABE) used in Chromium-based browsers.
Instead of relying on traditional extraction approaches, Remus injects a lightweight custom shellcode directly into browser memory. This technique allows it to locate and decrypt protected encryption keys instantly. Until now, experts had only observed this highly specific memory-based bypass in Lumma operations, reinforcing the link between the two malware families.
Moreover, Remus introduces several advanced upgrades designed for modern cybersecurity environments. One of the most significant changes involves its communication method with command-and-control (C2) servers. Previously, Lumma relied on “dead drop resolvers,” which used hidden links on platforms like Steam or Telegram to locate servers.
However, Remus replaces this approach with “EtherHiding,” an innovative tactic that embeds C2 addresses within Ethereum smart contracts. By querying public blockchain endpoints, the malware can retrieve its server location seamlessly. As a result, this infrastructure becomes extremely resistant to traditional takedown attempts and sinkholing techniques.
In addition, Gen Digital researchers reported that Remus strengthens its defense mechanisms against analysis tools. Before initiating any data theft, the malware scans systems for known sandbox and security software, including Avast, Sandboxie, and Comodo. This proactive detection allows it to evade analysis and operate undetected for longer periods.
Overall, the emergence of Remus highlights a concerning trend in malware evolution. As cybercriminals continue to refine their techniques, organizations must adopt more advanced threat detection and response strategies to stay protected.
Recommended Cyber Technology News:
- Cynomi Launches GTM Academy To Boost MSP Cyber Revenue
- OmniTrust and Synopsys Advance Embedded Security Testing
- NuHarbor Security and Right Systems Partner To Expand Cybersecurity
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
