RadioCSIRT English Edition – a new ransomware group operating under the name Payload -Ep.74 episode artwork

EPISODE · Apr 12, 2026 · 13 MIN

RadioCSIRT English Edition – a new ransomware group operating under the name Payload -Ep.74

from RadioCSIRT - English Edition · host Marc Frédéric GOMEZ

On April 7, 2026, Gen Threat Labs, the research arm of Gen Digital, published a detailed technical analysis of Remus, a new 64-bit infostealer attributed to the Lumma Stealer family. Active campaigns involving Remus have been observed since February 2026 — directly following a doxxing campaign between August and October 2025 that exposed the presumed core members of the Lumma organization and significantly disrupted its operations. Remus is not a replacement for Lumma — both families are currently coexisting in the wild — but a deliberate evolution, most likely born from a fork or rebranding operation initiated during the period of maximum operational pressure on the original group.The attribution case built by Gen Threat Labs rests on six technical indicators establishing codebase continuity. The most distinctive is the Application-Bound Encryption bypass for Chromium browsers: both Lumma and Remus inject a compact shellcode into the browser process to locate the v20_master_key directly in memory and call CryptUnprotectMemory from within the browser's process context. The difference between the two implementations is eleven bytes — 51 bytes for Remus versus 62 for Lumma. This level of implementation parallelism is not coincidental. Additional shared indicators include near-identical string obfuscation via stack assembly and MBA-reinforced decryption loops, direct syscall dispatch via runtime ntdll hash-to-SSN lookup tables, identical antiVM CPUID checks against five hypervisor signatures in the same order, a shared crypter presence check via NtRaiseHardError, and overlapping control flow obfuscation patterns. The attribution chain is anchored by transitional builds labeled Tenzor, compiled September 16, 2025 — at the peak of the disruption period — which carry both a Steam dead drop resolver matching confirmed Lumma samples and artifacts exclusive to Remus.The most operationally significant evolution in Remus is the abandonment of Steam and Telegram dead drop resolvers in favor of EtherHiding. At runtime, Remus sends a JSON-RPC eth_call request to a hardcoded Ethereum smart contract address via a public RPC endpoint and extracts the C2 URL from the hex-encoded response. The decentralized and immutable nature of the blockchain makes this infrastructure effectively resistant to traditional takedown procedures. Remus also introduces two additional anti-analysis checks before any C2 connection: sandbox DLL detection via CRC32 hashing of loaded module names against eleven known sandbox DLL hashes, and honeypot PST detection via enumeration of a specific Outlook PST filename. If either check triggers, the binary terminates silently via ExitProcess zero.For detection: monitor for JSON-RPC eth_call requests toward public Ethereum endpoints originating from workstations — anomalous behavior with a very low false positive rate. Monitor for hidden desktop creation via CreateDesktopW combined with browser process launch. Deploy the Remus-specific detection rules published by SOCPrime covering direct syscall usage, API hashing, and stealth execution artifacts. Any organization that has relied on Steam or Telegram dead drop blocking as a Lumma detection signal should treat that control as deprecated.SourcesGen Digital – Remus: Unmasking the 64-bit variant of the infamous Lumma Stealer : https://www.gendigital.com/blog/insights/research/remus-64bit-variant-of-lumma-stealerGBHackers – Remus infostealer debuts with stealthy new credential-theft tactics : https://gbhackers.com/remus-infostealer-debuts/CyberPress – Remus infostealer emerges with credential theft and advanced evasion tricks : https://cyberpress.org/remus-infostealer-emerges-fast/Don't think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #ThreatIntelligence #CTI #Remus #LummaStealer #Infostealer #EtherHiding #Malware

NOW PLAYING

RadioCSIRT English Edition – a new ransomware group operating under the name Payload -Ep.74

0:00 13:16

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Al-Quran In English Dr. Soha The complete Quran translation in English, Narrated by Dr. Soha. Hosted on Acast. See acast.com/privacy for more information. The Hobbit by J. R. R. Tolkien Audiobook Raghvendra Singh The journey through Middle-earth begins here with J.R.R. Tolkien's classic prelude to his Lord of the Rings trilogy.“A glorious account of a magnificent adventure, filled with suspense and seasoned with a quiet humor that is irresistible... All those, young or old, who love a fine adventurous tale, beautifully told, will take The Hobbit to their hearts.”—The New York Times Book Review"In a hole in the ground there lived a hobbit." So begins one of the most beloved and delightful tales in the English language—Tolkien's prelude to The Lord of the Rings. Set in the imaginary world of Middle-earth, at once a classic myth and a modern fairy tale, The Hobbit is one of literature's most enduring and well-loved novels.Bilbo Baggins is a hobbit who enjoys a comfortable, unambitious life, rarely traveling any farther than his pantry or cellar. But his contentment is disturbed when the wizard Gandalf and a company of dwarves arrive on his doorstep one day to whisk him away CLO Level 3 Lessons Chinese Learn Online (CLO) Learn Mandarin Chinese with our unique structured immersion course. Each lesson continues where the previous one left off. Level 1 lessons are conducted mainly in English. Later levels in the course will be conducted in Chinese that was taught in earlier levels. Learn English with the British Council and Premier League Jack Radford

Frequently Asked Questions

How long is this episode of RadioCSIRT - English Edition?

This episode is 13 minutes long.

When was this RadioCSIRT - English Edition episode published?

This episode was published on April 12, 2026.

What is this episode about?

On April 7, 2026, Gen Threat Labs, the research arm of Gen Digital, published a detailed technical analysis of Remus, a new 64-bit infostealer attributed to the Lumma Stealer family. Active campaigns involving Remus have been observed since February...

Can I download this RadioCSIRT - English Edition episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!