REMUS Infostealer MaaS Operation Expands with Session Theft, Password‑Manager Targeting, and Rapid Feature Updates
What Happened – Researchers at Flare tracked 128 underground posts between Feb 12 and May 8 2026, revealing that the REMUS infostealer is being sold as a fully‑managed Malware‑as‑a‑Service (MaaS). The operators continuously released new modules (session‑theft, password‑manager extraction, Telegram delivery, statistics dashboards) and marketed the service with “24/7 support” and “90 % callback rates.”
Why It Matters for TPRM –
- The MaaS model lowers the barrier for low‑skill actors to launch credential‑theft campaigns against any third‑party vendor.
- Continuous feature releases mean that threat‑actors can quickly adapt to new defenses, increasing the risk to client data pipelines.
- Advertising of high‑success rates and support services signals a professionalized supply‑chain that may be leveraged against your own service providers.
Who Is Affected – All sectors that rely on web browsers, password managers, or SaaS platforms for credential storage, notably technology/SaaS vendors, financial services, healthcare, and retail.
Recommended Actions –
- Review any third‑party contracts that involve browser‑based authentication or password‑manager integrations.
- Verify that vendors enforce multi‑factor authentication, token rotation, and least‑privilege for API keys.
- Incorporate REMUS IOCs (C2 domains, payload hashes) into your threat‑intelligence feeds and SIEM.
- Conduct phishing‑resilience testing focused on credential‑theft lures.
Technical Notes – The malware is delivered via malicious links or compromised sites, then installs a browser‑hook that harvests cookies, Discord tokens, and password‑manager entries. Collected data is exfiltrated to Telegram bots or custom C2 servers using encrypted payloads. No specific CVE is cited; the attack vector is malware‑as‑a‑service leveraging phishing and drive‑by downloads. Source: BleepingComputer