From Discovery to Defense: Detecting Remus Infostealer
Remus infostealer, slowly solidifying itself as the successor of Lumma stealer, has been growing in capabilities since its discovery in February 2026. Sold as 64-bit Malware-as-a-Service (MaaS), Remus possesses a wide range of capabilities aimed at stealing credentials, compromising user accounts, browser session data theft, clipboard theft, screenshot capturing, and gaining access to crypto-wallet. Gen researchers found an extensive overlap with the infamous Lumma stealer, effectively reinforcing the hypothesis that Remus is the evolution of Lumma.
Remus focuses on Chromium and Firefox-based browsers as well as browser extensions, specifically those related to password or MFA management. After it gains access to those credentials, it exfiltrates them to a command-and-control (C2) server.
The samples analyzed for this blog share several common traits; first is the filesize, all samples are strictly within 200KB range; second, all samples contain Remus logging features; third, they all exhibit clipboard and pixel capturing capabilities; fourth, they all perform ample API calls to gather system information.
The following YARA rule detects successfully Remus samples displaying the aforementioned features:
import "pe"
rule Remus_Infostealer{
meta:
author = "Evelyne Diaz Araque (evadiaz@stairwell.com)"
date = "2026-06-07"
description = "Remus stealer."
hash0 = "0a8f734f10400f7ae8fef591147e78dab6350089683be84c1cb6c82113cb1319"
hash1 = "64db10e76b46be8db36e02993d36559bc3f86606c9ea955731872b716c8f0c69"
hash2 = "95700d4d7e8f1970fbb331d7930c68c55e3c3c57cd809751d9a281fd48a8a4df"
hash3 = "ab2e47720388fa201e242552f8d8b82363c6c52f6c63fa3fec9dce027cb12e77"
strings:
$r0 = "# REMUS LOG" ascii wide
$r1 = "REMUS" ascii wide
$s0 = "BitBlt" ascii wide
$s1 = "OpenClipboard" ascii wide
$s3 = "GetComputerNameA" ascii wide
$s4 = "GetUserNameA" ascii wide
condition:
pe.is_pe and
(filesize > 200KB and filesize < 300KB) and
(1 of ($r*)) and (1 of ($s*))
}
YARA is one of the most effective ways to turn threat intelligence into detection, but traditional YARA hunting is limited by time and infrastructure. With Stairwell, YARA rules run continuously across your entire file history – not just what exists on disk today. Powered by the Stairwell Private Vault, analysts can instantly scan every file their organization has ever encountered, along with billions of samples in Stairwell’s Global Malware Corpus, turning a single YARA rule into persistent, enterprise-scale detection. Instead of conducting one-time hunts, security teams gain continuous hindsight, ensuring newly discovered threats can be identified across past and future exposure in seconds.
Want to see it in action? Reach out to our team to learn more – Request a Demo