Unmasking The 64-bit Variant of the Infamous Lumma Stealer
Gen Threat Labs has identified Remus, a new 64-bit infostealer attributed to the Lumma Stealer family, emerging after Lumma's takedown and the doxxing of its alleged core members. First campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks. Remus shares multiple characteristics with Lumma including identical string obfuscation techniques, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and a unique Application-Bound Encryption bypass. The analysis details test builds labeled Tenzor from September 2025, representing a transitional step between Lumma and Remus. While maintaining Lumma's stealing arsenal for browser passwords, cookies, and cryptocurrency, Remus introduces blockchain-based C2 resolution via EtherHiding, additional anti-sandbox checks targeting analysis tool DLLs, and enhanced device fingerprinting capabilities.
AI Analysis
Technical Summary
Remus is a 64-bit infostealer malware linked to the Lumma Stealer family, identified by Gen Threat Labs. It surfaced after Lumma's disruption and incorporates multiple Lumma characteristics such as string obfuscation, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and an Application-Bound Encryption bypass. Remus enhances its operational security by switching from traditional dead drop resolvers (Steam/Telegram) to blockchain-based C2 resolution using EtherHiding. It also adds new anti-sandbox checks targeting analysis tool DLLs and strengthens device fingerprinting. The malware continues to steal sensitive data including browser credentials, cookies, and cryptocurrency information. Early test versions labeled Tenzor appeared in September 2025, representing a developmental stage between Lumma and Remus. There is no indication of active exploitation in the wild or available patches.
Potential Impact
The malware can exfiltrate sensitive user data such as browser passwords, cookies, and cryptocurrency wallet information, potentially leading to credential theft and financial loss. Its advanced evasion techniques and blockchain-based C2 infrastructure complicate detection and analysis. However, no known active exploitation campaigns have been reported to date.
Mitigation Recommendations
No official patches or vendor advisories are available for this malware. Defenders should rely on updated endpoint detection and response solutions capable of identifying behaviors associated with Lumma and Remus malware families. Monitoring for indicators of compromise related to blockchain-based C2 communications and enhanced anti-analysis techniques may aid detection. Since this is a malware threat rather than a software vulnerability, traditional patching does not apply.
Indicators of Compromise
- hash: 488d058bcc8d02488901488b024889415b488d41
- hash: 002f714f93bed53f165129a820c2d5b72227f1cafac43be19e5e223ce219a5e1
- hash: 0580ebf601989457f0708799b431fd4d9f5e59d98838282d72936099aa6636da
- hash: 066c4ab954fc1270ee62c0d7c582c4c691e58e0ffef0c654bc204a46e440d16d
- hash: 0683f353cf3e101f721f1658e2a554ff7888ff9f2c32e23ceb3d23876864a264
- hash: 0a8f734f10400f7ae8fef591147e78dab6350089683be84c1cb6c82113cb1319
- hash: 25e74a76f2f3601abcb20fd743a7e3cf3befd5a3838c7501af5d87d293233809
- hash: 4428c3ffe2532f162f31d7573bbc1cca2299195421da3d8e8a3e535e9fc42b08
- hash: 484e3ab5d425a97819f01dcc330e005dc444c51625bfdcd7ea9a3954018d1fc9
- hash: 64db10e76b46be8db36e02993d36559bc3f86606c9ea955731872b716c8f0c69
- hash: 788b56e9be2f1dd6a977dce0265f293ab42d3e8ffb287ab584e169fbf115da1f
- hash: 8653d7158486aa10fc0078c3ca9318cd7ace05d4b3e6f3b1fb84ffb7a6a339ec
- hash: 8b6b238ffa6e411229c6754ba99f7b990c49edfb2c34068ce0ac5564824d71ad
- hash: a4f111e5425690fcd384c62ecb5b57b0f645925572af3541748e01d810cd2b40
- hash: ab2e47720388fa201e242552f8d8b82363c6c52f6c63fa3fec9dce027cb12e77
- hash: b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d
- hash: bc11d036fe59abb3915f736307c56d2fd43e8127e46c31f926eeda864f4d66dc
- hash: c3f7cea80dbafaa90a88b28a6dfb1227caaf5c2a29f0ce06bf663d6ed2cfc079
- hash: cab7855ccfca19a06eea76e0e170f592dcc95906ecfa5436f5a11947e04e63d5
- hash: dbf6facd28406361a6a81417b3ff5eb272ccc8dcc58a36bd5335a253ae4bf036
- ip: 217.156.122.12
- ip: 217.156.122.57
- ip: 217.156.122.75
- ip: 45.151.106.110
- ip: 80.97.160.155
- ip: 86.107.168.103
- url: http://adveryx.biz:6573
- url: http://backbou.biz:5902
- url: http://baxe.pics:48261
- url: http://borscer.biz:9592
- url: http://buccstanor.pics:28313
- url: http://buccstanor.pics:48261
- url: http://chalx.live:5902
- url: http://chromap.biz:4219
- url: http://coox.live:28313
- url: http://drymoge.biz:4192
- url: http://forestoaker.com:6290
- url: http://gluckcreek.online:48261
- url: http://intem.lat:9592
- url: http://interxo.biz:7481
- url: http://josegza.biz:8521
- url: http://krondez.com:28982
- url: http://lazzo.bet:3989
- url: http://managew.biz:5902
- url: http://navelum.biz:3201
- url: http://nitroca.biz:6782
- url: http://outcrol.biz:4895
- url: http://padaz.pics:4219
- url: http://parky.pics:3989
- url: http://prickaz.biz:2039
- url: http://remnane.biz:5692
- url: http://ropea.top:28313
- url: http://siltsoh.biz:7481
- url: http://texakgi.cloud:3849
- url: http://vinte.online:28313
- url: http://woodena.biz:7821
- url: http://zadno.run:4219
- domain: adveryx.biz
- domain: backbou.biz
- domain: baxe.pics
- domain: borscer.biz
- domain: buccstanor.pics
- domain: chalx.live
- domain: cheekiez.biz
- domain: chromap.biz
- domain: coox.live
- domain: drymoge.biz
- domain: forestoaker.com
- domain: gluckcreek.online
- domain: intem.lat
- domain: interxo.biz
- domain: josegza.biz
- domain: krondez.com
- domain: lazzo.bet
- domain: managew.biz
- domain: navelum.biz
- domain: nitroca.biz
- domain: nobleckly.biz
- domain: outcrol.biz
- domain: padaz.pics
- domain: parky.pics
- domain: prickaz.biz
- domain: remnane.biz
- domain: ropea.top
- domain: siltsoh.biz
- domain: texakgi.cloud
- domain: vinte.online
- domain: woodena.biz
- domain: zadno.run
Unmasking The 64-bit Variant of the Infamous Lumma Stealer
Description
Gen Threat Labs has identified Remus, a new 64-bit infostealer attributed to the Lumma Stealer family, emerging after Lumma's takedown and the doxxing of its alleged core members. First campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks. Remus shares multiple characteristics with Lumma including identical string obfuscation techniques, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and a unique Application-Bound Encryption bypass. The analysis details test builds labeled Tenzor from September 2025, representing a transitional step between Lumma and Remus. While maintaining Lumma's stealing arsenal for browser passwords, cookies, and cryptocurrency, Remus introduces blockchain-based C2 resolution via EtherHiding, additional anti-sandbox checks targeting analysis tool DLLs, and enhanced device fingerprinting capabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Remus is a 64-bit infostealer malware linked to the Lumma Stealer family, identified by Gen Threat Labs. It surfaced after Lumma's disruption and incorporates multiple Lumma characteristics such as string obfuscation, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and an Application-Bound Encryption bypass. Remus enhances its operational security by switching from traditional dead drop resolvers (Steam/Telegram) to blockchain-based C2 resolution using EtherHiding. It also adds new anti-sandbox checks targeting analysis tool DLLs and strengthens device fingerprinting. The malware continues to steal sensitive data including browser credentials, cookies, and cryptocurrency information. Early test versions labeled Tenzor appeared in September 2025, representing a developmental stage between Lumma and Remus. There is no indication of active exploitation in the wild or available patches.
Potential Impact
The malware can exfiltrate sensitive user data such as browser passwords, cookies, and cryptocurrency wallet information, potentially leading to credential theft and financial loss. Its advanced evasion techniques and blockchain-based C2 infrastructure complicate detection and analysis. However, no known active exploitation campaigns have been reported to date.
Mitigation Recommendations
No official patches or vendor advisories are available for this malware. Defenders should rely on updated endpoint detection and response solutions capable of identifying behaviors associated with Lumma and Remus malware families. Monitoring for indicators of compromise related to blockchain-based C2 communications and enhanced anti-analysis techniques may aid detection. Since this is a malware threat rather than a software vulnerability, traditional patching does not apply.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.gendigital.com/blog/insights/research/remus-64bit-variant-of-lumma-stealer"]
- Adversary
- Lumma Stealer
- Pulse Id
- 69d61cf42af050999ace2be6
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash488d058bcc8d02488901488b024889415b488d41 | — | |
hash002f714f93bed53f165129a820c2d5b72227f1cafac43be19e5e223ce219a5e1 | — | |
hash0580ebf601989457f0708799b431fd4d9f5e59d98838282d72936099aa6636da | — | |
hash066c4ab954fc1270ee62c0d7c582c4c691e58e0ffef0c654bc204a46e440d16d | — | |
hash0683f353cf3e101f721f1658e2a554ff7888ff9f2c32e23ceb3d23876864a264 | — | |
hash0a8f734f10400f7ae8fef591147e78dab6350089683be84c1cb6c82113cb1319 | — | |
hash25e74a76f2f3601abcb20fd743a7e3cf3befd5a3838c7501af5d87d293233809 | — | |
hash4428c3ffe2532f162f31d7573bbc1cca2299195421da3d8e8a3e535e9fc42b08 | — | |
hash484e3ab5d425a97819f01dcc330e005dc444c51625bfdcd7ea9a3954018d1fc9 | — | |
hash64db10e76b46be8db36e02993d36559bc3f86606c9ea955731872b716c8f0c69 | — | |
hash788b56e9be2f1dd6a977dce0265f293ab42d3e8ffb287ab584e169fbf115da1f | — | |
hash8653d7158486aa10fc0078c3ca9318cd7ace05d4b3e6f3b1fb84ffb7a6a339ec | — | |
hash8b6b238ffa6e411229c6754ba99f7b990c49edfb2c34068ce0ac5564824d71ad | — | |
hasha4f111e5425690fcd384c62ecb5b57b0f645925572af3541748e01d810cd2b40 | — | |
hashab2e47720388fa201e242552f8d8b82363c6c52f6c63fa3fec9dce027cb12e77 | — | |
hashb037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d | — | |
hashbc11d036fe59abb3915f736307c56d2fd43e8127e46c31f926eeda864f4d66dc | — | |
hashc3f7cea80dbafaa90a88b28a6dfb1227caaf5c2a29f0ce06bf663d6ed2cfc079 | — | |
hashcab7855ccfca19a06eea76e0e170f592dcc95906ecfa5436f5a11947e04e63d5 | — | |
hashdbf6facd28406361a6a81417b3ff5eb272ccc8dcc58a36bd5335a253ae4bf036 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip217.156.122.12 | — | |
ip217.156.122.57 | — | |
ip217.156.122.75 | — | |
ip45.151.106.110 | — | |
ip80.97.160.155 | — | |
ip86.107.168.103 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://adveryx.biz:6573 | — | |
urlhttp://backbou.biz:5902 | — | |
urlhttp://baxe.pics:48261 | — | |
urlhttp://borscer.biz:9592 | — | |
urlhttp://buccstanor.pics:28313 | — | |
urlhttp://buccstanor.pics:48261 | — | |
urlhttp://chalx.live:5902 | — | |
urlhttp://chromap.biz:4219 | — | |
urlhttp://coox.live:28313 | — | |
urlhttp://drymoge.biz:4192 | — | |
urlhttp://forestoaker.com:6290 | — | |
urlhttp://gluckcreek.online:48261 | — | |
urlhttp://intem.lat:9592 | — | |
urlhttp://interxo.biz:7481 | — | |
urlhttp://josegza.biz:8521 | — | |
urlhttp://krondez.com:28982 | — | |
urlhttp://lazzo.bet:3989 | — | |
urlhttp://managew.biz:5902 | — | |
urlhttp://navelum.biz:3201 | — | |
urlhttp://nitroca.biz:6782 | — | |
urlhttp://outcrol.biz:4895 | — | |
urlhttp://padaz.pics:4219 | — | |
urlhttp://parky.pics:3989 | — | |
urlhttp://prickaz.biz:2039 | — | |
urlhttp://remnane.biz:5692 | — | |
urlhttp://ropea.top:28313 | — | |
urlhttp://siltsoh.biz:7481 | — | |
urlhttp://texakgi.cloud:3849 | — | |
urlhttp://vinte.online:28313 | — | |
urlhttp://woodena.biz:7821 | — | |
urlhttp://zadno.run:4219 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainadveryx.biz | — | |
domainbackbou.biz | — | |
domainbaxe.pics | — | |
domainborscer.biz | — | |
domainbuccstanor.pics | — | |
domainchalx.live | — | |
domaincheekiez.biz | — | |
domainchromap.biz | — | |
domaincoox.live | — | |
domaindrymoge.biz | — | |
domainforestoaker.com | — | |
domaingluckcreek.online | — | |
domainintem.lat | — | |
domaininterxo.biz | — | |
domainjosegza.biz | — | |
domainkrondez.com | — | |
domainlazzo.bet | — | |
domainmanagew.biz | — | |
domainnavelum.biz | — | |
domainnitroca.biz | — | |
domainnobleckly.biz | — | |
domainoutcrol.biz | — | |
domainpadaz.pics | — | |
domainparky.pics | — | |
domainprickaz.biz | — | |
domainremnane.biz | — | |
domainropea.top | — | |
domainsiltsoh.biz | — | |
domaintexakgi.cloud | — | |
domainvinte.online | — | |
domainwoodena.biz | — | |
domainzadno.run | — |
Threat ID: 69d636951cc7ad14da612c39
Added to database: 4/8/2026, 11:05:57 AM
Last enriched: 4/8/2026, 11:20:45 AM
Last updated: 4/9/2026, 8:18:15 AM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.