Breaking: REMUS Infostealer Redefines Credential Theft
A new analysis from cybersecurity firm Flare reveals that the REMUS infostealer has rapidly evolved to prioritize stolen browser sessions and authentication tokens over traditional passwords. These digital assets now command higher value on underground markets.
“Session tokens allow attackers to bypass multi-factor authentication, giving them persistent access to corporate systems without triggering alarms,” said Michael Smith, a senior threat analyst at Flare. “REMUS is the first mass-market malware designed exclusively for this high-value theft.”
How REMUS Operates as a Malware-as-a-Service (MaaS)
REMUS is distributed as a MaaS platform, enabling even low-skilled criminals to deploy sophisticated session-stealing campaigns. The malware infiltrates browsers and intercepts cookies and OAuth tokens in real time.
Flare’s report confirms that REMUS updates its command-and-control infrastructure weekly, evading detection by standard antivirus tools. “Its modular architecture lets operators swap out payloads instantly—a level of agility we’ve never seen in an infostealer,” Smith added.
Background: The Rise of Session Theft
Traditional password theft has declined in profitability due to widespread adoption of password managers and multi-factor authentication. Cybercriminals have shifted focus to session tokens, which remain valid until explicitly revoked by the user or service.
REMUS first appeared in late 2023 but gained traction in 2025 after incorporating features like keylogging, screen scraping, and automated exfiltration of all active browser profiles. Its rapid evolution is driven by a closed community of developers who compete to add new features each month.
The malware now targets over 50 browser extensions and authenticator apps, including those for Google Workspace, Microsoft 365, and Slack. Victims typically infect machines via phishing emails or compromised software downloads.
What This Means
Enterprises can no longer rely solely on multi-factor authentication as a security silver bullet. Flare recommends constant monitoring of session token activity and implementing short token expiration times.
“Organizations must treat browser sessions like physical keys—losing one can unlock the entire castle,” Smith warned. “The REMUS model proves that cybercrime is industrializing around session theft, and defenses must evolve just as fast.”
As REMUS continues to evolve, security teams should expect more targeted attacks against cloud services and collaboration platforms. The malware’s MaaS ecosystem lowers the bar for entry, potentially flooding markets with stolen credentials.
Cybersecurity experts urge immediate action: deploy endpoint detection with behavior analysis, block non-browser traffic to identity providers, and educate users about session token risks.