Flare researchers analyzed 128 underground posts linked to the REMUS infostealer operation between February and May 2026, revealing how it evolved from basic credential theft into a structured Malware-as-a-Service platform. REMUS shares technical similarities with Lumma Stealer and progressively shifted focus toward session theft — capturing browser cookies, authentication tokens, and restore workflows that bypass MFA. By April 2026, the operator added targeting of password manager browser extensions including 1Password, LastPass, and Bitwarden via IndexedDB collection. The operation mirrors legitimate software businesses with versioned updates, bug fixes, statistics dashboards, and multi-operator infrastructure, highlighting how modern infostealers are maturing into persistent, scalable cybercrime platforms.
Table of contents
REMUS and Its Connection to LummaStolen Sessions Are the New Stolen PasswordsA Shift Toward Session Theft and the Rising Value of CookiesPassword Managers Become High-Value TargetsThe Operational Maturity Behind REMUSFinal ThoughtsSort: