Threat Research

Remus: Unmasking The 64-bit Variant of the Infamous Lumma Stealer

GenDigital
Remus: Unmasking The 64-bit Variant of the Infamous Lumma Stealer

Gen Threat Labs attributes a new x64 infostealer called Remus to the Lumma Stealer family, presenting multiple lines of evidence including identical string obfuscation, AntiVM checks, direct syscalls, indirect control-flow obfuscation, and a near-identical Application-Bound Encryption (ABE) bypass. Remus evolves Lumma’s design with 64-bit builds, EtherHiding (Ethereum smart-contract) dead-drop C2 resolution, new anti-analysis checks, and test builds named Tenzor that link the two families; #Remus #Lumma

Keypoints

  • Gen Threat Labs discovered Remus, a 64-bit infostealer strongly linked to Lumma Stealer via many shared techniques and artifacts (string obfuscation, syscall handling, ABE bypass, control-flow obfuscation).
  • Remus first appeared in campaigns around Feb 2026 and has transitional test builds labeled Tenzor with build dates from Sept 16, 2025 tying development to Lumma’s doxxing fallout.
  • Both families use an identical injection-based Application-Bound Encryption bypass: injecting shellcode into browser processes to call CryptUnprotectMemory and extract the v20_master_key in-memory.
  • Remus replaces Lumma’s Steam/Telegram dead-drop resolvers with EtherHiding (Ethereum smart-contract calls via eth_call JSON-RPC) to retrieve C2s, making takedown harder.
  • Shared defensive-evasion techniques include AntiVM cpuid checks, direct syscalls/sysenter dispatchers, indirect control-flow obfuscation, and a rare crypter/protector presence check that displays a warning via NtRaiseHardError.
  • Remus introduces extra anti-analysis checks (forbidden sandbox DLL hashes and honeypot PST detection), switches API hashing to CRC32, changes exfil archive format, and uses ChaCha20 for config decryption.

MITRE Techniques

  • [T1027 ] Obfuscated Files or Information – Remus and Lumma use extensive string obfuscation and indirect control-flow obfuscation to hinder analysis (‘Both Remus and Lumma use a virtually identical mechanism for string obfuscation.’ / ‘Indirect control flow obfuscation… replaces direct jumps with indirect ones’).
  • [T1055 ] Process Injection – Remus injects short shellcode into browser processes to decrypt the v20_master_key in-process and call CryptUnprotectMemory (‘injecting a very short shellcode (less than 100 bytes) into the browser process to decrypt the v20_master_key.’).
  • [T1555.003 ] Credentials from Web Browsers – The malware extracts browser-stored credentials and master keys (v20_master_key) to steal passwords, cookies, and cryptocurrency data (‘capable of stealing stored browser passwords, cookies, cryptocurrency, and much more’).
  • [T1539 ] Steal Web Session Cookie – Remus targets browser cookies for exfiltration as part of its stealing arsenal (‘capable of stealing stored browser passwords, cookies, cryptocurrency, and much more’).
  • [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – Both families perform anti-VM checks via cpuid (EAX=0x40000000) comparing hypervisor signatures to detect virtualized analysis environments (‘anti-VM check based on the cpuid instruction with EAX set to 0x40000000’).
  • [T1134.001 ] Access Token Manipulation: Token Impersonation/Theft – Both use SYSTEM token impersonation to bypass ABE when preferred over injection (‘both Remus and Lumma also employ SYSTEM token impersonation as an alternative method to bypass ABE’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Remus resolves dead-drop C2 via Ethereum JSON-RPC (eth_call) through public RPC endpoints to retrieve hex-encoded C2 URLs (‘it sends an eth_call JSON-RPC request to a hardcoded contract address via a public RPC endpoint and extracts the C2 URL from the hex-encoded response’).
  • [T1115 ] Clipboard Data – Both implement clipboard-stealing routines that read, convert, and exfiltrate clipboard contents into the exfiltration archive (‘the clipboard-stealing routine… convert it from UTF-16 to UTF-8… append the result to the exfiltration archive’).
  • [T1106 ] Native API – Use of direct syscalls/sysenter and runtime-built hash-to-SSN syscall dispatchers to invoke kernel functions and avoid standard API calls (‘they enumerate all Nt-prefixed exports from ntdll.dll and build a lookup table mapping their name hashes to the corresponding Syscall Service Numbers’).

Indicators of Compromise

  • [IP Addresses ] C2 infrastructure examples – 217[.]156[.]122[.]12:80, 45[.]151[.]106[.]110:80 (many other C2 IPs listed in the report).
  • [Domains / C2 URLs ] Observed remote endpoints and domains – adveryx[.]biz:6573, buccstanor[.]pics:48261, and dozens of additional C2 domains (see full list on GitHub).
  • [File hashes (SHA-256) ] Remus and Tenzor samples – Remus examples: 64db10e76b46be8db36e02993d36559bc3f86606c9ea955731872b716c8f0c69, 0a8f734f10400f7ae8fef591147e78dab6350089683be84c1cb6c82113cb1319 (and many more Remus/Tenzor hashes provided).
  • [File names ] Artifacts and detection/honeypot checks – [email protected] (used as a sandbox/honeypot indicator), Processes.txt and Clipboard.txt (decrypted/created during collection routines).
  • [Dead-drop resolver URL ] Legacy resolver example – steamcommunity[.]com/profiles/76561199861614181 (Steam profile used by Lumma/Tenzor; Remus uses Ethereum smart-contracts instead).

Read more: https://www.gendigital.com/blog/insights/research/remus-64bit-variant-of-lumma-stealer