Unmasking The 64-bit Variant of the Infamous Lumma Stealer
April 8, 2026, 11:01 a.m.
Description
Gen Threat Labs has identified Remus, a new 64-bit infostealer attributed to the Lumma Stealer family, emerging after Lumma's takedown and the doxxing of its alleged core members. First campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks. Remus shares multiple characteristics with Lumma including identical string obfuscation techniques, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and a unique Application-Bound Encryption bypass. The analysis details test builds labeled Tenzor from September 2025, representing a transitional step between Lumma and Remus. While maintaining Lumma's stealing arsenal for browser passwords, cookies, and cryptocurrency, Remus introduces blockchain-based C2 resolution via EtherHiding, additional anti-sandbox checks targeting analysis tool DLLs, and enhanced device fingerprinting capabilities.
Tags
Date
- Created: April 8, 2026, 9:16 a.m.
- Published: April 8, 2026, 9:16 a.m.
- Modified: April 8, 2026, 11:01 a.m.
Indicators
- 8b6b238ffa6e411229c6754ba99f7b990c49edfb2c34068ce0ac5564824d71ad
- c3f7cea80dbafaa90a88b28a6dfb1227caaf5c2a29f0ce06bf663d6ed2cfc079
- 8653d7158486aa10fc0078c3ca9318cd7ace05d4b3e6f3b1fb84ffb7a6a339ec
- 0580ebf601989457f0708799b431fd4d9f5e59d98838282d72936099aa6636da
- 002f714f93bed53f165129a820c2d5b72227f1cafac43be19e5e223ce219a5e1
- 066c4ab954fc1270ee62c0d7c582c4c691e58e0ffef0c654bc204a46e440d16d
- dbf6facd28406361a6a81417b3ff5eb272ccc8dcc58a36bd5335a253ae4bf036
- 0683f353cf3e101f721f1658e2a554ff7888ff9f2c32e23ceb3d23876864a264
- a4f111e5425690fcd384c62ecb5b57b0f645925572af3541748e01d810cd2b40
- b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d
- 484e3ab5d425a97819f01dcc330e005dc444c51625bfdcd7ea9a3954018d1fc9
- cab7855ccfca19a06eea76e0e170f592dcc95906ecfa5436f5a11947e04e63d5
- 0a8f734f10400f7ae8fef591147e78dab6350089683be84c1cb6c82113cb1319
- 25e74a76f2f3601abcb20fd743a7e3cf3befd5a3838c7501af5d87d293233809
- ab2e47720388fa201e242552f8d8b82363c6c52f6c63fa3fec9dce027cb12e77
- 64db10e76b46be8db36e02993d36559bc3f86606c9ea955731872b716c8f0c69
- 788b56e9be2f1dd6a977dce0265f293ab42d3e8ffb287ab584e169fbf115da1f
- 4428c3ffe2532f162f31d7573bbc1cca2299195421da3d8e8a3e535e9fc42b08
- bc11d036fe59abb3915f736307c56d2fd43e8127e46c31f926eeda864f4d66dc
- 217.156.122.57
- 45.151.106.110
- 80.97.160.155
- 86.107.168.103
- 217.156.122.75
- 217.156.122.12
- http://chromap.biz:4219
- http://zadno.run:4219
- http://nitroca.biz:6782
- http://remnane.biz:5692
- http://intem.lat:9592
- http://interxo.biz:7481
- http://texakgi.cloud:3849
- http://borscer.biz:9592
- http://baxe.pics:48261
- http://backbou.biz:5902
- http://chalx.live:5902
- http://lazzo.bet:3989
- http://drymoge.biz:4192
- http://adveryx.biz:6573
- http://woodena.biz:7821
- http://managew.biz:5902
- http://ropea.top:28313
- http://gluckcreek.online:48261
- http://krondez.com:28982
- http://navelum.biz:3201
- http://prickaz.biz:2039
- http://forestoaker.com:6290
- http://parky.pics:3989
- http://josegza.biz:8521
- http://coox.live:28313
- http://siltsoh.biz:7481
- http://buccstanor.pics:28313
- http://outcrol.biz:4895
- http://vinte.online:28313
- http://buccstanor.pics:48261
- http://padaz.pics:4219
Additional Informations
- prickaz.biz
- nobleckly.biz
- borscer.biz
- forestoaker.com
- adveryx.biz
- buccstanor.pics
- siltsoh.biz
- chalx.live
- interxo.biz
- ropea.top
- baxe.pics
- intem.lat
- chromap.biz
- navelum.biz
- remnane.biz
- parky.pics
- nitroca.biz
- padaz.pics
- krondez.com
- backbou.biz
- managew.biz
- coox.live
- josegza.biz
- outcrol.biz
- cheekiez.biz
- zadno.run
- drymoge.biz
- gluckcreek.online
- vinte.online
- texakgi.cloud
- lazzo.bet
- woodena.biz