← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Unmasking The 64-bit Variant of the Infamous Lumma Stealer
WHITE Lumma Stealer AlienVault 2026-04-08 Modified: 2026-04-08
89
IOCs
HIGH VOLUME
Gen Threat Labs has identified Remus, a new 64-bit infostealer attributed to the Lumma Stealer family, emerging after Lumma's takedown and the doxxing of its alleged core members. First campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks. Remus shares multiple characteristics with Lumma including identical string obfuscation techniques, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and a unique Application-Bound Encryption bypass. The analysis details test builds labeled Tenzor from September 2025, representing a transitional step between Lumma and Remus. While maintaining Lumma's stealing arsenal for browser passwords, cookies, and cryptocurrency, Remus introduces blockchain-based C2 resolution via EtherHiding, additional anti-sandbox checks targeting analysis tool DLLs, and enhanced device fingerprinting capabilities.
lumma stealerapplication-bound encryption bypassblockchain c2tenzoretherhidinginfostealer64-bit variantremusaurastealervoidstealerrhadamanthys
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Tenzor Lumma Stealer Remus Rhadamanthys AuraStealer VoidStealer
Indicators of Compromise (89)
All FileHash-SHA1 FileHash-SHA256 IPv4 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 488d058bcc8d02488901488b024889415b488d41 2026-04-08
FileHash-SHA256 002f714f93bed53f165129a820c2d5b72227f1cafac43be19e5e223ce219a5e1 2026-04-08
FileHash-SHA256 0580ebf601989457f0708799b431fd4d9f5e59d98838282d72936099aa6636da 2026-04-08
FileHash-SHA256 066c4ab954fc1270ee62c0d7c582c4c691e58e0ffef0c654bc204a46e440d16d 2026-04-08
FileHash-SHA256 0683f353cf3e101f721f1658e2a554ff7888ff9f2c32e23ceb3d23876864a264 2026-04-08
FileHash-SHA256 0a8f734f10400f7ae8fef591147e78dab6350089683be84c1cb6c82113cb1319 2026-04-08
FileHash-SHA256 25e74a76f2f3601abcb20fd743a7e3cf3befd5a3838c7501af5d87d293233809 2026-04-08
FileHash-SHA256 4428c3ffe2532f162f31d7573bbc1cca2299195421da3d8e8a3e535e9fc42b08 2026-04-08
FileHash-SHA256 484e3ab5d425a97819f01dcc330e005dc444c51625bfdcd7ea9a3954018d1fc9 2026-04-08
FileHash-SHA256 64db10e76b46be8db36e02993d36559bc3f86606c9ea955731872b716c8f0c69 2026-04-08
FileHash-SHA256 788b56e9be2f1dd6a977dce0265f293ab42d3e8ffb287ab584e169fbf115da1f 2026-04-08
FileHash-SHA256 8653d7158486aa10fc0078c3ca9318cd7ace05d4b3e6f3b1fb84ffb7a6a339ec 2026-04-08
FileHash-SHA256 8b6b238ffa6e411229c6754ba99f7b990c49edfb2c34068ce0ac5564824d71ad 2026-04-08
FileHash-SHA256 a4f111e5425690fcd384c62ecb5b57b0f645925572af3541748e01d810cd2b40 2026-04-08
FileHash-SHA256 ab2e47720388fa201e242552f8d8b82363c6c52f6c63fa3fec9dce027cb12e77 2026-04-08
FileHash-SHA256 b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d 2026-04-08
FileHash-SHA256 bc11d036fe59abb3915f736307c56d2fd43e8127e46c31f926eeda864f4d66dc 2026-04-08
FileHash-SHA256 c3f7cea80dbafaa90a88b28a6dfb1227caaf5c2a29f0ce06bf663d6ed2cfc079 2026-04-08
FileHash-SHA256 cab7855ccfca19a06eea76e0e170f592dcc95906ecfa5436f5a11947e04e63d5 2026-04-08
FileHash-SHA256 dbf6facd28406361a6a81417b3ff5eb272ccc8dcc58a36bd5335a253ae4bf036 2026-04-08
IPv4 217.156.122.12 2026-04-08
IPv4 217.156.122.57 2026-04-08
IPv4 217.156.122.75 2026-04-08
IPv4 45.151.106.110 2026-04-08
IPv4 80.97.160.155 2026-04-08
IPv4 86.107.168.103 2026-04-08
URL http://adveryx.biz:6573 2026-04-08
URL http://backbou.biz:5902 2026-04-08
URL http://baxe.pics:48261 2026-04-08
URL http://borscer.biz:9592 2026-04-08
URL http://buccstanor.pics:28313 2026-04-08
URL http://buccstanor.pics:48261 2026-04-08
URL http://chalx.live:5902 2026-04-08
URL http://chromap.biz:4219 2026-04-08
URL http://coox.live:28313 2026-04-08
URL http://drymoge.biz:4192 2026-04-08
URL http://forestoaker.com:6290 2026-04-08
URL http://gluckcreek.online:48261 2026-04-08
URL http://intem.lat:9592 2026-04-08
URL http://interxo.biz:7481 2026-04-08
URL http://josegza.biz:8521 2026-04-08
URL http://krondez.com:28982 2026-04-08
URL http://lazzo.bet:3989 2026-04-08
URL http://managew.biz:5902 2026-04-08
URL http://navelum.biz:3201 2026-04-08
URL http://nitroca.biz:6782 2026-04-08
URL http://outcrol.biz:4895 2026-04-08
URL http://padaz.pics:4219 2026-04-08
URL http://parky.pics:3989 2026-04-08
URL http://prickaz.biz:2039 2026-04-08
URL http://remnane.biz:5692 2026-04-08
URL http://ropea.top:28313 2026-04-08
URL http://siltsoh.biz:7481 2026-04-08
URL http://texakgi.cloud:3849 2026-04-08
URL http://vinte.online:28313 2026-04-08
URL http://woodena.biz:7821 2026-04-08
URL http://zadno.run:4219 2026-04-08
domain adveryx.biz 2026-04-08
domain backbou.biz 2026-04-08
domain baxe.pics 2026-04-08
domain borscer.biz 2026-04-08
domain buccstanor.pics 2026-04-08
domain chalx.live 2026-04-08
domain cheekiez.biz 2026-04-08
domain chromap.biz 2026-04-08
domain coox.live 2026-04-08
domain drymoge.biz 2026-04-08
domain forestoaker.com 2026-04-08
domain gluckcreek.online 2026-04-08
domain intem.lat 2026-04-08
domain interxo.biz 2026-04-08
domain josegza.biz 2026-04-08
domain krondez.com 2026-04-08
domain lazzo.bet 2026-04-08
domain managew.biz 2026-04-08
domain navelum.biz 2026-04-08
domain nitroca.biz 2026-04-08
domain nobleckly.biz 2026-04-08
domain outcrol.biz 2026-04-08
domain padaz.pics 2026-04-08
domain parky.pics 2026-04-08
domain prickaz.biz 2026-04-08
domain remnane.biz 2026-04-08
domain ropea.top 2026-04-08
domain siltsoh.biz 2026-04-08
domain texakgi.cloud 2026-04-08
domain vinte.online 2026-04-08
domain woodena.biz 2026-04-08
domain zadno.run 2026-04-08
References (1)
↗ https://www.gendigital.com/blog/insights/research/remus-64bit-variant-of-lumma-stealer