In recent months, a new infostealer malware known as **REMUS** has emerged across the cybercrime landscape, drawing attention from security researchers and malware analysts. Several technical analyses published in recent months focused on the malware’s capabilities, infrastructure, and similarities to **Lumma Stealer**, including browser targeting mechanisms, and credential theft functionality and more. However, far less attention has been given to the underground operation behind the malware itself. An analysis conducted by **Flare** researchers of 128 posts linked to the REMUS underground operation between February 12 and May 8, 2026, provides a rare look into how the group presents, develops, and operationalizes the malware within underground communities. By analyzing the actor’s advertisements, update logs, feature announcements, operational discussions, and customer-facing communications, the research helps map how the operation evolved over time and what priorities drove its development. The findings reveal not only the rapid evolution of the stealer’s capabilities, but also a growing focus on commercialization, operational scalability, session theft, and password-manager targeting. More broadly, the activity offers insight into how modern malware-as-a-service (MaaS) operations increasingly resemble structured software businesses, with continuous development cycles, operational refinements, and features designed to improve usability, persistence, and long-term monetization.  The underground activity reveals a highly compressed but aggressive development cycle, with the operator repeatedly publishing feature updates, operational refinements, and new collection capabilities over just a few months. Rather than advertising a static malware build, the posts portray an actively maintained MaaS platform evolving in near real time. * **February 2026** marked the initial commercial push. Early posts focused on establishing REMUS as a reliable and easy-to-use stealer, promoting browser credential theft, cookie collection, **Discord** token theft, **Telegram** delivery, and basic log management. The tone was highly promotional and customer-oriented. In one of the earliest posts, the operator claimed: “*With good crypting and a dedicated intermediary server, the callback rate is ~90%.*” Another post marketed the malware as featuring “*24/7 support*” and functionality “*simple enough that even a child can figure it out*” highlighting a strong emphasis on usability and commercialization from the beginning. * **March 2026** represented the campaign’s most active development period. During this phase, the operator introduced restore-token functionality, expanded log handling, worker tracking, statistics pages, duplicate-log filtering, and improved Telegram delivery workflows. Multiple posts focused not on theft itself, but on operational visibility and campaign management. One update added worker nicknames to log tables and statistics views, while another improved loader execution visibility so operators could better understand failed infections. The shift suggests REMUS was evolving into a broader operational platform rather than just a malware executable. * **April 2026** showed a clear move toward session continuity and browser-side authentication artifacts. The operator added SOCKS5 proxy support, improved token restoration, anti-VM toggles, gaming-platform targeting, and password-manager-related collection. One update explicitly stated: “*Added IndexedDB collection for **1Password** and **LastPass** extensions.*” Another referenced **Bitwarden**-related searches. The posts increasingly emphasized authenticated sessions, restore workflows, and browser-side storage rather than standalone credentials alone. * **By early May 2026**, the operation appeared focused on refinement and operational stability. The remaining posts in the dataset referenced restore improvements, bug fixes, collection optimizations, and continued adjustments to delivery and management functionality, suggesting the operator was shifting from rapid feature expansion toward platform stabilization. ## REMUS and Its Connection to Lumma  Public reporting has largely focused on REMUS as a technically significant successor or variant of the Lumma Stealer. Researchers described the malware as a 64-bit infostealer sharing multiple similarities with Lumma, including anti-VM checks, browser-focused credential theft, and browser encryption bypass techniques. That technical overlap is important, but the underground data suggests the story extends far beyond malware lineage. The analyzed posts show a threat actor aggressively building a commercial cybercrime product around the malware. The operation repeatedly promoted updates, customer support, performance improvements, and additional collection capabilities in a way that strongly resembles legitimate software development cycles. In one early post, the operator claimed the malware could achieve approximately “90%” successful delivery rates when paired with proper crypting and an intermediary server, language clearly aimed at reassuring potential buyers about operational reliability. ## Stolen Sessions Are the New Stolen Passwords Infostealers like REMUS don't just harvest credentials anymore, they capture cookies, browser tokens, and authenticated sessions that bypass MFA entirely. Flare monitors millions of stealer logs across dark web markets and Telegram channels continuously, so you can detect exposed sessions and credentials before attackers use them against you. ## A Shift Toward Session Theft and the Rising Value of Cookies  One of the clearest themes across the REMUS campaign is the growing emphasis on session theft rather than traditional credential harvesting alone. Historically, many infostealers focused primarily on usernames and passwords. REMUS, however, repeatedly emphasized cookie collection, token handling, browser sessions, proxy-assisted restoration, and authenticated access continuity. From the earliest stages of the campaign, the malware promoted browser sessions and authentication artifacts as a core part of its value. This reflects a broader shift across the underground economy, where stolen cookies and authenticated sessions have increasingly become a highly valuable commodity.