REMUS Infostealer: How Session Hijacking Became the New Gold in Cybercrime

By

Stolen browser sessions and authentication tokens now command higher prices on dark web markets than traditional passwords, according to a new analysis of the REMUS infostealer malware. The threat, operated as a Malware-as-a-Service (MaaS), has rapidly evolved to specialize in session theft, enabling criminals to bypass multi-factor authentication and persist inside compromised accounts.

“REMUS is a textbook example of how cybercriminals pivot to session hijacking because it gives them instant, persistent access without needing credentials,” said a senior threat researcher at Flare, the cybersecurity firm that tracked the malware's development. “We’re seeing a clear shift: session tokens are the new gold.”

Background

REMUS first emerged in underground forums in early 2024 as a basic infostealer. Within months, its developers added advanced session cookie extraction and token replay capabilities, turning it into a specialized tool for account takeovers. The malware is sold on a subscription model (MaaS), with prices ranging from $500 to $2,000 per month depending on features and support level.

Flare’s report details how REMUS uses WebSocket injection to intercept active sessions in real time, even those protected by 2FA. Attackers can then reuse these tokens to log into services like email, cloud storage, and corporate VPNs without triggering additional authentication prompts. “The victims never know until it’s too late,” the researcher added.

What This Means

For organizations, the rise of REMUS underscores the inadequacy of relying solely on multi-factor authentication. Session token theft bypasses MFA entirely, making security policies that depend on it obsolete. Companies must now monitor for anomalous session usage, implement short token lifetimes, and deploy endpoint detection that can spot process injection and WebSocket abuse.

For defenders, REMUS represents a rapidly evolving threat that demands equally agile countermeasures. The malware already shows modular updates, suggesting its creators are adding features like browser-agnostic stealing and cryptojacking. “This isn’t a static threat—it’s a platform that gets better every week,” the Flare researcher warned.

Flare recommends immediate action: disable automatic session persistence in browsers, enforce re-authentication for sensitive actions, and use EDR solutions that can detect hooking of browser processes. As the threat matures, stolen sessions will only become more valuable, making proactive defense critical.

Related Articles

• Cyber-Enabled Cargo Theft Soars: FBI Warns of $725 Million Losses in 2025
• Haun Ventures Raises $1 Billion to Fuel AI Agents in Crypto, Betting on Financial Infrastructure Over Models
• How Bitcoin Is Becoming a Global Reserve Asset: A Guide to the Forces Driving Institutional Adoption and the $1M Price Target
• Bitcoin Dips Below $80K as ETF Inflows Halt: Key Questions Answered
• Buffett's Berkshire Reveals Top Holdings: Apple, Coca-Cola, AmEx Remain Core as New Era Begins
• Microsoft's Capital Spending Forecast Soars 23% Above Expectations, Fueled by Memory Price Surge
• How to Secure Your Mac Mini or Mac Studio Despite Ongoing Supply Constraints
• Navigating the Preschool Landscape: A Guide to Understanding State Investments and Quality Challenges