Back to Intelligence

Remus 64-bit Infostealer, Beagle Backdoor & Aerospace APT Campaigns: OTX Pulse Analysis

SA
Security Arsenal Team
May 9, 2026
5 min read

Recent OTX pulses indicate a convergence of evolved commodity infostealers, social engineering-driven backdoors, and persistent ransomware activity targeting critical infrastructure. Remus, a new 64-bit variant of the notorious Lumma Stealer, has emerged following the takedown of its predecessor, shifting from standard dead-drop resolvers to EtherHiding for C2 infrastructure.

Simultaneously, threat actors are leveraging trusted brands to distribute malware. A malvertising campaign impersonating Anthropic's Claude AI is distributing the Beagle backdoor, utilizing DLL sideloading via a signed G DATA updater to bypass security controls.

Finally, the Aerospace and Defense sectors remain under intense pressure from extortion groups (LockBit, Cl0p) and nation-state actors (Refined Kitten, Fancy Bear), who are exploiting complex supply chains to launch identity-based intrusions and data extortion operations.

Threat Actor / Malware Profile

Remus (Lumma Stealer 64-bit Variant)

  • Type: Infostealer
  • Attribution: Lumma Stealer Family (Tenzor)
  • Distribution: Initial access via Steam or Telegram dead drop resolvers, transitioning to EtherHiding (blockchain-based C2).
  • Behavior: Highly evasive 64-bit payload. Performs anti-analysis checks before exfiltrating data. Targets cryptocurrency wallets, browser cookies, and saved credentials.
  • C2 Communication: Utilizes specific domains for handshake and data exfiltration; implements blockchain DNS resolution to resist takedowns.

Beagle Backdoor

  • Type: Remote Access Trojan (RAT)
  • Distribution: Malvertising via fake "Claude-Pro" site (claude-pro[.]com); delivered as a 505MB ZIP archive.
  • Behavior: Uses DonutLoader to shell code execution. Employs DLL Sideloading by abusing a legitimate, signed G DATA antivirus updater (gup.exe) to load the malicious payload (Beagle).
  • C2 Framework: AdaptixC2.

Aerospace Extortionists

  • Actors: LockBit, Cl0p, Refined Kitten, Fancy Bear (APT28), Wicked Panda.
  • Focus: Aviation, Transportation, Defense contractors.
  • TTPs: Supply chain exploitation, identity-based intrusions (ADFS manipulation), double-extortion ransomware.

IOC Analysis

Indicator Types:

  • Domains: C2 infrastructure for Remus (e.g., forestoaker.com, coox.live) and Beagle delivery (claude-pro.com).
  • File Hashes: SHA256 and MD5 hashes for Remus binaries, Beagle loaders, and ransomware payloads targeting the aerospace sector.
  • Hostnames: Specific subdomains used for license verification or C2 check-in (license.claude-pro.com).

Operational Guidance: SOC teams should immediately block listed domains at the perimeter and recursive resolvers. File hashes should be uploaded to EDR solutions for cloud-assisted hunting. Due to the use of signed binaries (G DATA) in the Beagle campaign, reputation-based blocking alone is insufficient; behavioral detection for DLL sideloading is required.

Detection Engineering

YAML
title: Remus Stealer C2 Connection - DNS Query
id: c0ffee01-2026-remus-dns
description: Detects DNS queries to known Remus Stealer C2 domains identified in OTX pulses.
author: Security Arsenal
status: experimental
date: 2026/05/08
tags:
    - attack.command_and_control
    - attack.t1071.004
logsource:
    category: dns
condition: selection
selection:
    query|contains:
        - 'forestoaker.com'
        - 'krondez.com'
        - 'baxe.pics'
        - 'vinte.online'
        - 'coox.live'
        - 'remnane.biz'
        - 'parky.pics'
falsepositives:
    - Unknown
level: critical
---
title: Suspicious G DATA Updater DLL Sideloading - Beagle
description: Detects potential Beagle backdoor execution via DLL sideloading using the signed G DATA updater (gup.exe).
id: c0ffee02-2026-beagle-sideloading
author: Security Arsenal
status: experimental
date: 2026/05/08
references:
    - https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\gup.exe'
        Image|contains:
            - '\AppData\'
            - '\Temp\'
        Signed: 'false'
    condition: selection
falsepositives:
    - Legitimate G DATA update failures (rare)
level: high
---
title: Fake Claude AI Site Network Access
description: Detects network connections to the malicious Claude-Pro domain used for Beagle distribution.
id: c0ffee03-2026-claude-malware
author: Security Arsenal
status: experimental
date: 2026/05/08
tags:
    - attack.initial_access
    - attack.t1566.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'claude-pro.com'
    condition: selection
falsepositives:
    - Unknown
level: critical


kql
// Hunt for Remus and Beagle IOCs in Network and Process Events
// Network Connections to Malicious Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("forestoaker.com", "krondez.com", "claude-pro.com", "baxe.pics", "vinte.online")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP

// Process Creation for Malicious Hashes (Remus/Ransomware samples)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82",
    "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38"
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256


powershell
# IOC Hunt Script for Remus and Beagle Artifacts
# Requires Administrator privileges

$MaliciousHashes = @( 
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82",
    "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38"
)

$MaliciousDomains = @(
    "forestoaker.com", "krondez.com", "claude-pro.com"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Yellow

# Scan common temp and appdata directories
$PathsToScan = @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { 
            $_.Length -gt 0kb -and $_.Length -lt 100mb 
        } | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | SHA256: $Hash" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking Hosts file for malicious domains..." -ForegroundColor Yellow
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    Select-String -Path $HostsPath -Pattern $MaliciousDomains | ForEach-Object {
        Write-Host "[!] SUSPICIOUS ENTRY IN HOSTS FILE: $($_.Line)" -ForegroundColor Red
    }
}

Write-Host "[+] Checking DNS Cache for C2 communication..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry } | ForEach-Object {
    Write-Host "[!] DNS CACHE HIT: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green


# Response Priorities

*   **Immediate:**
    *   Block all listed domains (`forestoaker.com`, `claude-pro.com`, etc.) at the perimeter, proxy, and DNS levels.
    *   Isolate endpoints with positive hash matches for Remus or Aerospace ransomware binaries.
    *   Kill network connections to `claude-pro.com` and investigate the source process (likely browser or download manager).

*   **24 Hours:**
    *   Initiate credential reset for users who may have interacted with the "Claude-Pro" download or visited Steam/Telegram links associated with Remus.
    *   Review G DATA updater logs for anomalies or unauthorized DLL loads.
    *   Sweep aerospace/aviation segmented networks for the LockBit/Cl0p file hashes provided in Pulse 2.

*   **1 Week:**
    *   Implement application signing enforcement to prevent the abuse of signed binaries like `gup.exe` for sideloading.
    *   Update proxy categorization to block newly registered domains serving AI-related utilities.
    *   Conduct supply chain risk assessments for third-parties with access to aerospace engineering platforms.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptremus-stealerbeagle-backdooraerospace-aptlockbitetherhiding

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action