Threat Summary
Current OTX pulse data reveals a concerning convergence of multiple threat campaigns targeting enterprise environments. The emergence of Remus—a 64-bit variant of the notorious Lumma Stealer—coincides with intensified data extortion operations against global aerospace supply chains. Simultaneously, threat actors are exploiting the popularity of AI tools through a fake Claude AI website distributing the previously undocumented Beagle backdoor.
The collective intelligence indicates coordinated activity involving:
- Remus Infostealer (Lumma 64-bit variant) using blockchain-based C2 infrastructure
- LockBit and Cl0p ransomware operations specifically targeting aerospace, transportation, and defense sectors
- APT groups (Refined Kitten, Wicked Panda, Fancy Bear) leveraging these tools for espionage
- Beagle backdoor distribution via malvertising campaigns impersonating Anthropic's Claude
The primary objectives include credential harvesting, data extortion, and establishing persistent access within critical infrastructure environments.
Threat Actor / Malware Profile
Remus Infostealer (Lumma 64-bit Variant)
Distribution Method:
- Transitioned from Steam/Telegram dead drop resolvers to EtherHiding (blockchain-based delivery)
- Malvertising campaigns targeting software download searches
Payload Behavior:
- Steals credentials, cryptocurrency wallets, browser data
- Harvests system information for profiling
- Exfiltrates data via encrypted channels
C2 Communication:
- Utilizes EtherHiding—a technique that stores C2 addresses in blockchain transactions
- Communicates with domains: forestoaker.com, krondez.com, baxe.pics, vinte.online, coox.live, remnane.biz, parky.pics
Persistence Mechanism:
- Registry run keys (HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
- Scheduled tasks masquerading as legitimate system processes
Anti-Analysis Techniques:
- Checks for virtualization environments
- Detects debugging tools
- Implements anti-sandboxing logic
- Uses application-bound encryption bypass techniques
LockBit & Cl0p Ransomware Campaigns
Targeted Industries:
- Aerospace
- Transportation
- Defense contractors
- Aviation supply chain partners
Distribution Method:
- Phishing campaigns with malicious attachments
- Supply chain compromise of shared airport IT platforms
- Exploitation of third-party dependencies
Payload Behavior:
- AES/RSA hybrid encryption of files
- Exfiltration of sensitive data prior to encryption
- Pressure tactics via data leak sites
Beagle Backdoor
Distribution Method:
- Fake Claude AI website (claude-pro.com) distributing malicious tool "Claude-Pro Relay"
- Delivered as 505 MB ZIP archive
Payload Behavior:
- Remote access capabilities
- Command execution
- File upload/download
C2 Communication:
- Uses AdaptixC2 framework for command and control
- Contacts license.claude-pro.com for tasking
Persistence Mechanism:
- DLL sideloading via signed G DATA antivirus updater
- Compromises legitimate signed binaries to load malicious DLLs
IOC Analysis
Indicator Types Present:
- Domain Names (8 total): C2 infrastructure and delivery domains
- File Hashes (7 total): SHA256, SHA1, and MD5 hashes of malware payloads
- Hostnames (1 total): Subdomain used for C2 communication
SOC Operationalization:
These indicators should be immediately:
- Blocked at perimeter firewalls, proxies, and DNS resolvers
- Imported into EDR solutions for detection and quarantine
- Correlated against existing threat intelligence platforms
- Hunted via SIEM queries using KQL provided below
Tooling for Decoding:
- VirusTotal/Joe Sandbox: For file hash analysis
- DNSdumpster/SecurityTrails: For domain infrastructure mapping
- Cortex/TheHive: For IOC management and case tracking
- Splunk/QRadar: For log correlation and alerting
Detection Engineering
YAML
---
title: Remus Infostealer C2 Communication Detection
id: 6c8f7d2e-4a3b-45c6-9d1e-8f7a6b5c4d3e
description: Detects network connections to known Remus infostealer C2 domains
author: Security Arsenal
date: 2026/05/08
tags:
- attack.command_and_control
- attack.exfiltration
status: stable
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- forestoaker.com
- krondez.com
- baxe.pics
- vinte.online
- coox.live
- remnane.biz
- parky.pics
condition: selection
falsepositives:
- Legitimate access to these domains (unlikely)
level: critical
---
title: Fake Claude AI Website and Beagle Backdoor
id: 7d9f8e3f-5b4c-56d7-0e2f-9g8b7c6d5e4f1
description: Detects connections to fake Claude AI website distributing Beagle backdoor
author: Security Arsenal
date: 2026/05/08
tags:
- attack.initial_access
- attack.execution
status: stable
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- claude-pro.com
- license.claude-pro.com
condition: selection
falsepositives:
- Legitimate access to Claude AI (should use anthropic.com)
level: high
---
title: DLL Sideloading via G DATA Updater
id: 8e0g9f4g-6c5d-67e8-1f3g-0h9c8d7e6f5g2
description: Detects potential DLL sideloading via signed G DATA antivirus updater (used by Beagle)
author: Security Arsenal
date: 2026/05/08
tags:
- attack.defense_evasion
- attack.persistence
status: stable
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains: 'G DATA'
Signed: false
condition: selection
falsepositives:
- Legitimate G DATA component loading
level: medium
kql
// Hunt for Remus infostealer C2 communications
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "parky.pics", "claude-pro.com", "license.claude-pro.com")
| summarize count() by DeviceName, RemoteUrl, InitiatingProcessFileName
| order by count_ desc
// Hunt for Beagle backdoor DLL sideloading
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "G DATA" and ProcessCommandLine has ".dll"
| project DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, SHA256
// Hunt for malicious file hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d", "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82", "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38")
| project DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
powershell
# Remus and Beagle Backdoor Hunt Script
# Version 1.0 - 2026-05-08
# Author: Security Arsenal Threat Intelligence
# Define malicious file hashes from OTX pulses
$maliciousHashes = @(
"b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
"95daa771a28eaed76eb01e1e8f403f7c",
"cdd5717fd3bfd375c1c34237c24073e92ad6dccc",
"7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82",
"5e1f61b9c1c27cad3b7a81c804ac7b86",
"c1888ba296f57e87a84411ddfce3cabc4536b142",
"180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38"
)
# Define malicious domains
$maliciousDomains = @(
"forestoaker.com",
"krondez.com",
"baxe.pics",
"vinte.online",
"coox.live",
"remnane.biz",
"parky.pics",
"claude-pro.com",
"license.claude-pro.com"
)
function Write-ColorOutput {
param([string]$Message, [string]$Color)
Write-Host $Message -ForegroundColor $Color
}
Write-ColorOutput "========================================" "Cyan"
Write-ColorOutput "REMUS & BEAGLE THREAT HUNT SCRIPT" "Cyan"
Write-ColorOutput "Security Arsenal - 2026-05-08" "Cyan"
Write-ColorOutput "========================================" "Cyan"
# Check for known malicious file hashes
Write-ColorOutput "`n[1] Scanning for malicious files..." "Yellow"
$foundFiles = 0
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $maliciousHashes) {
Write-ColorOutput " MALICIOUS FILE FOUND: $($_.FullName)" "Red"
Write-ColorOutput " Hash: $hash" "Red"
$foundFiles++
}
} catch {}
}
if ($foundFiles -eq 0) { Write-ColorOutput " No malicious files found" "Green" }
# Check for DNS cache entries
Write-ColorOutput "`n[2] Checking DNS cache for malicious domains..." "Yellow"
$foundDNS = 0
Get-DnsClientCache | Where-Object { $maliciousDomains -contains $_.Entry } | ForEach-Object {
Write-ColorOutput " MALICIOUS DNS ENTRY: $($_.Entry)" "Red"
Write-ColorOutput " Data: $($_.Data)" "Red"
$foundDNS++
}
if ($foundDNS -eq 0) { Write-ColorOutput " No malicious DNS entries found" "Green" }
# Check for suspicious scheduled tasks
Write-ColorOutput "`n[3] Checking for suspicious scheduled tasks..." "Yellow"
$foundTasks = 0
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*claude*" -or $_.Actions.Execute -like "*remus*" -or $_.TaskName -like "*claude*" -or $_.TaskName -like "*remus*" } | ForEach-Object {
Write-ColorOutput " SUSPICIOUS TASK FOUND: $($_.TaskName)" "Red"
Write-ColorOutput " Command: $($_.Actions.Execute) $($_.Actions.Arguments)" "Red"
$foundTasks++
}
if ($foundTasks -eq 0) { Write-ColorOutput " No suspicious tasks found" "Green" }
# Check for suspicious registry run keys
Write-ColorOutput "`n[4] Checking registry persistence mechanisms..." "Yellow"
$foundRegistry = 0
$runPaths = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($path in $runPaths) {
if (Test-Path $path) {
$properties = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue
foreach ($prop in $properties.PSObject.Properties) {
if ($prop.Name -notlike "PS*" -and $prop.Value -is [string]) {
if ($prop.Value -like "*claude*" -or $prop.Value -like "*remus*" -or $prop.Value -like "*krondez*" -or $prop.Value -like "*baxe*" -or $prop.Value -like "*forestoaker*") {
Write-ColorOutput " SUSPICIOUS REGISTRY ENTRY:" "Red"
Write-ColorOutput " Path: $path\$($prop.Name)" "Red"
Write-ColorOutput " Value: $($prop.Value)" "Red"
$foundRegistry++
}
}
}
}
}
if ($foundRegistry -eq 0) { Write-ColorOutput " No suspicious registry entries found" "Green" }
# Summary
Write-ColorOutput "`n========================================" "Cyan"
Write-ColorOutput "HUNT SUMMARY" "Cyan"
Write-ColorOutput "========================================" "Cyan"
Write-ColorOutput "Malicious files found: $foundFiles" "$(if ($foundFiles -gt 0) { 'Red' } else { 'Green' })"
Write-ColorOutput "Malicious DNS entries: $foundDNS" "$(if ($foundDNS -gt 0) { 'Red' } else { 'Green' })"
Write-ColorOutput "Suspicious tasks: $foundTasks" "$(if ($foundTasks -gt 0) { 'Red' } else { 'Green' })"
Write-ColorOutput "Suspicious registry entries: $foundRegistry" "$(if ($foundRegistry -gt 0) { 'Red' } else { 'Green' })"
Write-ColorOutput "`nHunt complete." "Green"
Response Priorities
Immediate (0-4 hours)
- Block all IOC domains at perimeter firewalls, DNS resolvers, and web proxies
- Isolate systems matching file hashes from the network
- Hunt for execution artifacts using provided PowerShell script
- Escalate any confirmed infections to incident response team
24 Hours
- Audit compromised credentials if Remus infostealer activity is confirmed
- Force password resets for all accounts accessed from infected endpoints
- Review browser data for exfiltration indicators
- Implement DNS sinkholing for C2 domains to monitor ongoing beaconing
1 Week
- Architecture hardening: Implement application allow-listing to prevent unknown executables
- Supply chain review: Validate software distribution channels for aerospace partners
- Security awareness training: Update with specific examples of fake AI tool websites
- DNS filtering enhancement: Deploy real-time threat intelligence integration for DNS resolution
- Third-party risk assessment: Re-evaluate cybersecurity posture of aerospace supply chain partners
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptremuslumma-stealerlockbitbeagle-backdooraerospace-attacks
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.