REMUS Infostealer Is Evolving Into a Full Malware‑as‑a‑Service Identity Threat

Rather than replacing Lumma outright, REMUS appears to represent an evolution or fork of the same ecosystem. Both malware families have been observed operating concurrently in the wild.

A Shift Toward Commercialized Malware‑as‑a‑Service

Analysis of underground forum activity indicates that REMUS is being developed and distributed as a commercialized malware‑as‑a‑service operation, enabling multiple threat actors to deploy it in campaigns. Researchers reviewing underground discussions tied to the operation identified more than a hundred posts linked to the ecosystem during early‑2026 activity.

This commercialization allows attackers to scale distribution quickly—turning what might once have been a niche malware strain into a widely deployed credential‑harvesting platform.

Targeting Password Manager Vault Data

One of the most concerning developments is REMUS’s ability to target password‑manager browser extensions.

Recent reporting shows that the malware can collect data from extensions associated with tools such as:

• 1Password
• LastPass
• Bitwarden

The malware reportedly gathers this information from browser storage sources such as IndexedDB, which extensions use to store encrypted vault data or operational information.

While the encryption models of password managers still protect vault contents in many cases, attackers may still gain sensitive artifacts, metadata, or session information that can help escalate access attempts.

Security researchers warn that password‑manager data represents an especially valuable target because these tools often store credentials for:

• SaaS platforms
• enterprise admin accounts
• VPN access
• developer infrastructure
• personal accounts

Compromising a single workstation can therefore expose a much broader set of identities than traditional browser password theft.

Session and Token Theft That Bypasses MFA

Another major shift in REMUS capabilities is its emphasis on session and token theft.

Instead of simply stealing login credentials, modern infostealers increasingly capture:

• browser cookies
• authentication tokens
• active application sessions

Because these artifacts represent already‑authenticated states, attackers can often reuse them to access services without triggering a new login challenge, effectively bypassing many multi‑factor authentication (MFA) protections.

This technique significantly shortens the timeline between infection and unauthorized access to corporate systems.

EtherHiding Infrastructure

REMUS also introduces infrastructure changes designed to make command‑and‑control communication harder to disrupt.

Researchers report the malware using EtherHiding, a technique that stores command‑and‑control configuration data in Ethereum smart contracts. Instead of relying on fixed domains or servers, the malware retrieves instructions through blockchain‑linked mechanisms.

Because blockchain records are decentralized and difficult to remove, this approach can complicate takedowns and make the malware’s infrastructure more resilient.

How REMUS Compares With the Gremlin Stealer Evolution

REMUS is not the only infostealer evolving rapidly. Researchers tracking the Gremlin stealer have observed a different type of advancement.

A new Gremlin variant has incorporated stronger anti‑analysis techniques and expanded functionality, evolving from a basic credential harvester into a modular malware toolkit with additional modules and improved stealth.

Unit 42 researchers report that newer builds employ a packing utility with instruction virtualization, converting the malware’s code into custom bytecode executed by a private virtual machine to hinder reverse engineering.

In simple terms:

• REMUS is evolving toward identity theft at scale, emphasizing session hijacking, password‑manager targeting, and MaaS distribution.
• Gremlin is evolving toward stealth and modular expansion, focusing on obfuscation and anti‑analysis capabilities.

Both trajectories reflect the same broader trend: infostealers are becoming more sophisticated, adaptable, and difficult to detect.

The Bigger Trend: Identity Is the New Target

The rise of malware like REMUS reflects a fundamental change in attacker priorities.

Rather than focusing solely on passwords, modern infostealers are designed to capture the entire authenticated environment—sessions, tokens, stored credentials, and identity infrastructure artifacts.

The scale of the threat is already enormous. Security analysis indicates that infostealer campaigns collected around 1.8 billion credentials in 2025 alone, highlighting how large the underground market for stolen authentication data has become.

What This Means for Enterprise Security

The evolution of REMUS highlights several implications for defenders:

• Endpoint compromise now quickly becomes identity compromise. Once sessions and tokens are stolen, attackers may access services immediately.
• MFA alone is no longer sufficient. Token reuse and session hijacking can bypass MFA workflows.
• Credential vaults are becoming high‑value targets. Password managers concentrate large volumes of sensitive identities.

As a result, organizations increasingly need defenses that go beyond password resets, including session revocation, device‑trust enforcement, endpoint detection and response tools, and monitoring for abnormal authentication behavior.

The Takeaway

REMUS illustrates how quickly the infostealer ecosystem is evolving. What began as a Lumma‑related credential stealer has expanded into a scalable malware‑as‑a‑service platform focused on identity theft and session hijacking.

Combined with developments in other stealers such as Gremlin, the trend is clear: attackers are no longer just stealing passwords—they are stealing authenticated access itself.

For enterprises, that shift means breaches can unfold much faster than traditional security models expect, turning a single endpoint infection into widespread account compromise within minutes or hours rather than days.