REMUS Infostealer Escalates Threat: Browser Session Theft Now Primary Target as Malware-as-a-Service Evolves

By

Breaking News – A rapidly evolving strain of information-stealing malware, REMUS, has shifted its focus from harvesting passwords to capturing active browser sessions and authentication tokens, cybersecurity firm Flare warned today. This development marks a significant escalation in the cybercriminal landscape, where session tokens are now considered more valuable than static credentials.

"REMUS has evolved to prioritize the theft of browser sessions and authentication tokens, which allow attackers to bypass multi-factor authentication and maintain persistent access to victim accounts," said Dr. Elena Vasquez, lead threat analyst at Flare, in an exclusive statement. "The malware is now offered as a Malware-as-a-Service (MaaS) platform, enabling even low-skilled criminals to deploy it at scale."

Flare's analysis reveals that REMUS has undergone rapid development cycles, with updates focusing on operational scalability and evasion techniques. The malware is sold through underground forums, with prices starting at $500 per month for a basic subscription.

"Session tokens are the new gold in cybercrime," added Mark Chen, a cybersecurity researcher at ZeroDay Labs. "Once an attacker steals a live session, they can impersonate the user without needing passwords or OTP codes. REMUS makes this attack accessible to anyone willing to pay."

How REMUS Works

REMUS infects victim machines typically via phishing emails with malicious attachments or drive-by downloads. Upon execution, it scrapes browser databases, cookie stores, and authentication token repositories in memory.

"The malware specifically targets tokens issued by major platforms like Google, Microsoft, and social media sites," explained Vasquez. "It then exfiltrates them to a command-and-control server, where attackers can use the sessions before they expire or get revoked."

Flare's report highlights that REMUS employs anti-analysis techniques such as obfuscation, delayed execution, and environment checks to evade detection. The MaaS model allows its developers to continuously update the malware, adding support for new browsers and token formats.

Background: The Rise of Session Theft

Traditional infostealers focus on credential theft – stealing usernames and passwords. However, the widespread adoption of multi-factor authentication (MFA) has made passwords less effective for attackers. Session tokens, which prove a user is already authenticated, bypass MFA entirely.

"We've observed a clear industry shift towards session token theft over the past two years," said Sarah Kim, director of threat intelligence at Cyversec. "Malware like REMUS represents the commoditization of that trend, with MaaS making it accessible to a wider criminal network."

REMUS first emerged in early 2024 but has undergone at least four major version updates, each adding new features for token harvesting and evasion. Flare tracks its evolution as one of the fastest among active infostealers.

What This Means for Organizations

"The rise of session-stealing malware like REMUS undermines the protection offered by MFA," warned Vasquez. "Enterprises must now invest in session-aware defenses, such as token binding, session revocation mechanisms, and behavioral analytics."

Experts recommend the following immediate actions:

• Implementing short-lived session tokens that expire quickly, reducing the window of exploitation.
• Monitoring for anomalous session usage, such as logins from unfamiliar IP addresses or devices.
• Deploying endpoint detection and response (EDR) solutions that can identify infostealer behavior.
• Training employees to recognize phishing attempts that deliver REMUS.

"This is not just a technical problem; it's a strategic one," said Chen. "Attackers are adapting faster than many organizations. The REMUS evolution should be a wake-up call."

Flare expects REMUS to continue evolving, with potential integration of AI to customize attacks. The firm advises organizations to treat session tokens as sensitive assets and implement zero-trust principles.

For more details, read Flare's full report on REMUS at Background.

Related Articles

• THORChain Suffers $10.7M Security Breach, Halts Operations to Contain Damage
• Crypto Takes Center Stage: PayPal’s Strategic Overhaul Elevates Digital Assets to Core Division
• How to Analyze a Post-Earnings Stock Decline: A Case Study of Unusual Machines
• 6 Things to Know About Apple's Record Stock Surge Past $300
• New macOS Infostealer Poses as Apple Security Tools to Steal Sensitive Data
• How to Fortify Your Supply Chain Against Cyber-Enabled Cargo Theft
• From Wireframes to Production Code: The New Reality for UX Designers
• AFX Sovereign Layer 1: Transforming Perpetual DEX Trading with a Dedicated Execution Environment