Unmasking The 64-bit Variant of the Infamous Lumma Stealer

216.73.217.98

Unmasking The 64-bit Variant of the Infamous Lumma Stealer

· Published 08/04/2026 11:16 · Modified 08/04/2026 11:01

Essential information

Published: 08/04/2026 11:16
Modified: 08/04/2026 11:01
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: 64-bit variant application-bound encryption bypass aurastealer blockchain c2 etherhiding infostealer lumma stealer remus rhadamanthys tenzor voidstealer
Tags: 2026-04-08 64-bit variant application-bound encryption bypass aurastealer blockchain c2 etherhiding infostealer lumma stealer remus rhadamanthys tenzor voidstealer
Related entities: 88 indicators, 88 observables, 1 intrusion sets (apt), 19 techniques (mitre), 6 malware, 32 others

Description

Gen Threat Labs has identified Remus, a new 64-bit infostealer attributed to the Lumma Stealer family, emerging after Lumma's takedown and the doxxing of its alleged core members. First campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks. Remus shares multiple characteristics with Lumma including identical string obfuscation techniques, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and a unique Application-Bound Encryption bypass. The analysis details test builds labeled Tenzor from September 2025, representing a transitional step between Lumma and Remus. While maintaining Lumma's stealing arsenal for browser passwords, cookies, and cryptocurrency, Remus introduces blockchain-based C2 resolution via EtherHiding, additional anti-sandbox checks targeting analysis tool DLLs, and enhanced device fingerprinting capabilities.