REMUS the infostealer that transforms authenticated sessions into a clandestine business

In recent months, an infostealer campaign called REMUS which, beyond its code, reveals a worrying trend: criminal operations are becoming professional commercial platforms. Technical analysis has shown similarities with the Lumma Stealer and capabilities such as anti-VM controls, cookie theft and browser tokens; but by observing the operator's forums and publications you can see something more relevant to defenders and security officials: a clear road map, versions, customer support and operational metrics that make malware a continuously developed service.

What distinguishes REMUS is not only the extraction of traditional credentials, but the prioritization of authenticated sessions and browser artifacts(cookies, tokens, IndexedDB extensions). This approach allows attackers to re-use already validated access, often by avoiding controls such as MFA or login anomalies, and so the stolen sessions have become a high-value currency in the clandestine market. Flare and other observers have documented how the actor was adding "restore" and proxy support functions to maintain and reuse stolen sessions (source: Flare).

From an operational point of view, REMUS illustrates the fragmentation of the MaaS ecosystem: developers, operators and distributors can specialize and scale campaigns with management panels, "workers" tracking and filters to prioritize valuable logos. This division of labour increases the persistence and ability to monetize long-term data, and reduces technical friction for buyers without advanced knowledge, which increases the risk for organizations of all sizes.

The implications for corporate security are clear: not enough to protect passwords. Systems that rely only on static credentials or MFA that can be omitted by session restoration are vulnerable. Specific platforms such as Discord, Steam, Riot or Telegram-linked services appear repeatedly in the reports for the operational value of their sessions, which affects game companies, online communities and services with internal economies.

In practical terms, the defensive response must combine technical, political and active detection controls. Technically, it is critical to apply safe cookie attributes (HttpOnly, Secure, SameSite), reduce the persistence of tokens, use device-linked tokens and prefer modern authentication mechanisms such as FIDO2 or hardware keys; official identity security recommendations, such as NIST's on authentication, are a good starting point ( NIST SP 800-63B).

For detection and mediation: implement monitoring of active sessions and context change alerts (IP, geolocation, browser fingerprinting), invalidate tokens in the face of suspicion and offer mandatory reauthentication flows if restoration from proxys or unknown devices is detected. EDR solutions and browser protection platforms can help detect and block drivers, crypting and suspicious executions used to deploy stealers.

In the area of password and manager management, it is not enough to rely on browser extension: encourage the use of native managers or applications with strong encryption protect access to maults with MFA and consider policies that mitigate the risk of exposure from IndexedDB and other local warehouses. Product equipment should review practices that store credentials or tokens in the customer and migrate to server-side mechanisms with ephemeral tokens whenever possible.

Threat intelligence and monitoring of clandestine markets have also gained importance: knowing what data are sold and detecting early leaks can make a difference. Tools that collect and analyse stealer logs allow organizations to identify exposures before they are used for persistent fraud or access; public reports on REMUS and its evolution, such as community analysis, help contextualize tactics and objectives (technical example in SOC Prime).

Finally, governance and training remain decisive. Companies should review session policies, limit default privileges, rotate critical credentials on a regular basis and train users on phishing risks and stealers delivery vectors. If there is a suspicion of commitment, the priority is to cut the persistence: revoke sessions, rotate keys, analyze drivers and coordinate with identity and security providers to mitigate impact.

REMUS is a reminder that modern security requires more thinking about the life cycle of access than the password itself: criminal operations are professionalized and seek to maximize the usefulness of each stolen data. Adapting technical controls, response processes and detection models to this reality is the best defense against this new generation of infostealers.