At a glance: The REMUS infostealer is operated like a professional software company, with continuous updates, customer-focused service, and scaling objectives. Research shows that underground MaaS operations are adopting modern business practices to ensure persistence and revenue generation.
The REMUS infostealer has established itself in the cybercrime ecosystem over recent months and has attracted the attention of security researchers. An analysis of 128 posts in underground forums reveals how the group behind it operates its malware business like a professional software company – complete with continuous development cycles and targeted marketing.
A research team from Flare investigated activities surrounding REMUS between February and May 2025 and uncovered a remarkably professional criminal operation. Analyses of advertisements, update logs, and customer interactions reveal not only the rapid development of the stealer but also an increasing focus on commercialization, scalability, and infiltration of password managers.
The Malware-as-a-Service (MaaS) model operates like a genuine software company: with aggressive development cycles and continuous improvements, the operator regularly releases new features, operational enhancements, and data collection methods. In early advertising posts, the operator promoted REMUS’s reliability and user-friendliness. They advertised that the combination of solid encryption and dedicated servers achieved a callback rate of approximately 90 percent. Core functions included stealing browser login credentials, harvesting cookies, capturing Discord tokens, and transmitting data via Telegram.
The marketing strategy was particularly revealing: the operator consistently emphasized ease of use – describing the malware as “so simple that even a child would understand it” – and promised “24/7 support.” This customer orientation demonstrates how professionalized underground operations have become. The intensive development phase peaked in March 2026, with the campaign originally starting in February 2026.