TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GBHackers

Remus Infostealer Adopts Lumma-Style Browser Key Theft to Bypass App-Bound Encryption

Mayura Kathir · 17 hours ago · Read original ↗

ATT&CK techniques detected

3 predictions
T1555.003Credentials from Web Browsers
97%
“remus infostealer adopts lumma - style browser key theft to bypass app - bound encryption remus is a newly observed 64 - bit infostealer that closely tracks the lumma stealer codebase while adding etherhiding - based c2 resolution and a refined application ‑ bound encryption ( ab…”
T1497.001System Checks
97%
“detect sandbox or analysis dlls linked to tools such as avast sandbox, sandboxie, and comodo. it also checks for a tell ‑ tale honeypot pst file ( for example a “ [ email protected ] ” outlook archive ) to identify automated analysis environments and terminates early if found. co…”
T1055.012Process Hollowing
70%
“crypt _ async : : encryptor vtable holding the protected key. once the vtable is located, remus scans memory for object instances, extracts the v20 _ master _ key at known offsets, copies it into a pre ‑ allocated buffer, and calls cryptunprotectmemory from the injected shellcode…”

Summary

Remus is a newly observed 64-bit infostealer that closely tracks the Lumma Stealer codebase while adding EtherHiding-based C2 resolution and a refined Application‑Bound Encryption (ABE) bypass for Chromium browsers. The first Remus activity dates back to early 2026, shortly after Lumma’s core operators were doxxed between August and October 2025, suggesting either a rebrand or […]

The post Remus Infostealer Adopts Lumma-Style Browser Key Theft to Bypass App-Bound Encryption appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.