In recent months, a novel infostealer malware called REMUS has surfaced in the cybercrime ecosystem, attracting significant interest from security researchers and malware analysts. Several technical reports released in recent months have examined the malware’s features, infrastructure, and its similarities to Lumma Stealer—such as its browser-targeting methods and credential-theft capabilities. By contrast, the underground operation responsible for the malware has received comparatively little scrutiny. A Flare research team’s review of 128 REMUS-related posts published between February 12 and May 8, 2025, offers an uncommon glimpse into how the group markets, develops, and deploys its malware inside underground forums. The research maps the operation’s evolution and underlying priorities by examining the actor’s advertisements, update logs, feature announcements, operational discussions, and customer communications. The findings show both the stealer’s rapid capability growth and an increasing emphasis on commercialization, operational scalability, session theft, and password-manager targeting. More broadly, the activity provides a window into how contemporary malware-as-a-service (MaaS) operations are increasingly modeled after professional software businesses, featuring continuous development cycles, ongoing operational improvements, and capabilities tailored to enhance usability, persistence, and sustained revenue generation. The underground ecosystem demonstrates a highly compressed yet aggressive development pace, as the operator consistently released feature updates, operational enhancements, and new data-collection methods within just a few months. Instead of promoting a fixed malware build, the advertisements depict an actively maintained MaaS platform that evolves in near real time. The initial commercial push occurred in February 2026. Early posts emphasized REMUS as a dependable and user-friendly stealer, highlighting its capabilities for stealing browser credentials, collecting cookies, grabbing Discord tokens, delivering logs via Telegram, and basic log handling. The tone was strongly promotional and focused on the customer. In an early post, the operator stated: „Using solid crypting along with a dedicated intermediary server yields a callback rate of around 90%.“ Another post promoted the malware as offering „24/7 support“ and being „simple enough that even a child can figure it out,“ underscoring a clear focus on ease of use and commercialization from the outset. The campaign reached its peak development activity in March 2026.
BleepingComputer