REMUS Infostealer: How Session Hijacking Became the New Gold in Cybercrime

By

Stolen browser sessions and authentication tokens now command higher prices on dark web markets than traditional passwords, according to a new analysis of the REMUS infostealer malware. The threat, operated as a Malware-as-a-Service (MaaS), has rapidly evolved to specialize in session theft, enabling criminals to bypass multi-factor authentication and persist inside compromised accounts.

“REMUS is a textbook example of how cybercriminals pivot to session hijacking because it gives them instant, persistent access without needing credentials,” said a senior threat researcher at Flare, the cybersecurity firm that tracked the malware's development. “We’re seeing a clear shift: session tokens are the new gold.”

Background

REMUS first emerged in underground forums in early 2024 as a basic infostealer. Within months, its developers added advanced session cookie extraction and token replay capabilities, turning it into a specialized tool for account takeovers. The malware is sold on a subscription model (MaaS), with prices ranging from $500 to $2,000 per month depending on features and support level.

Flare’s report details how REMUS uses WebSocket injection to intercept active sessions in real time, even those protected by 2FA. Attackers can then reuse these tokens to log into services like email, cloud storage, and corporate VPNs without triggering additional authentication prompts. “The victims never know until it’s too late,” the researcher added.

What This Means

For organizations, the rise of REMUS underscores the inadequacy of relying solely on multi-factor authentication. Session token theft bypasses MFA entirely, making security policies that depend on it obsolete. Companies must now monitor for anomalous session usage, implement short token lifetimes, and deploy endpoint detection that can spot process injection and WebSocket abuse.

For defenders, REMUS represents a rapidly evolving threat that demands equally agile countermeasures. The malware already shows modular updates, suggesting its creators are adding features like browser-agnostic stealing and cryptojacking. “This isn’t a static threat—it’s a platform that gets better every week,” the Flare researcher warned.

Flare recommends immediate action: disable automatic session persistence in browsers, enforce re-authentication for sensitive actions, and use EDR solutions that can detect hooking of browser processes. As the threat matures, stolen sessions will only become more valuable, making proactive defense critical.

Related Articles

• Microsoft Launches Azure Accelerate for Databases: Urgent Move to Modernize Data for AI, Offering Up to 35% Savings and Free Expert Support
• Toyota RAV4 Named 'Do-It-All' Family Vehicle by Automotive Analysts
• Android Banking Trojan TrickMo Evolves: New Variant Leverages TON Blockchain for Stealthy C2 and SOCKS5 Proxy Pivots
• docs.rs to Slash Default Build Targets: Major Change Coming May 1, 2026
• Why AES-128 Remains Secure Against Quantum Attacks
• Insider Sale at Patterson-UTI Energy: Director Sells $123K in Shares – What It Means
• Spotify Reverses Course: 30% Price Reduction in Major Market Signals Shift in Strategy
• AI Agents Inside Your Network: The Unseen Risks and How to Govern Them