Back to Intelligence

Remus Infostealer & Aerospace Ransomware: OTX Pulse Analysis — Detection Engineering Pack

SA
Security Arsenal Team
May 10, 2026
5 min read

Intelligence Date: 2026-05-10
Source: AlienVault OTX Live Pulse Data
Author: Security Arsenal Threat Intel Unit

Threat Summary

Current OTX Pulse data indicates a convergence of high-efficacy infostealers, ransomware operations targeting critical infrastructure, and novel social engineering campaigns leveraging generative AI themes.

  1. Lumma Stealer Evolution: The "Remus" 64-bit variant of Lumma Stealer has been detected utilizing EtherHiding for C2 infrastructure and bypassing application-bound encryption. This follows the takedown of the original Lumma operations, suggesting an adaptive persistence by the threat actors.
  2. Critical Infrastructure Targeting: A distinct surge in activity from LockBit, Cl0p, and nation-state actors (Refined Kitten, Fancy Bear) is explicitly targeting the aerospace and defense supply chain. The campaign focuses on data extortion and platform-level disruption.
  3. AI-Themed Malvertising: A new campaign involving the "Beagle" backdoor is distributed via a fraudulent Claude AI website (claude-pro.com), utilizing DLL sideloading (G DATA updater) and DonutLoader to deliver the payload.

Threat Actor / Malware Profile

Malware Family / ActorDescriptionDistributionKey Behaviors
Remus (Lumma Stealer)64-bit variant of the infamous infostealer.Malvertising, Crack toolsEtherHiding, Blockchain C2, Anti-analysis checks, Steam/Telegram dead drop resolvers (historical).
LockBit / Cl0p / APTsRansomware and Espionage groups.Phishing, Supply Chain compromiseData extortion, Identity-based intrusions, Platform disruption.
Beagle BackdoorPreviously undocumented backdoor.Fake Claude AI website (malvertising).DLL Sideloading (via G DATA updater), DonutLoader shellcode execution.

IOC Analysis

The provided pulses contain 91 total indicators, primarily domains and file hashes.

  • Domains: Multiple C2 domains associated with Remus (e.g., forestoaker.com, krondez.com) and phishing infrastructure for Beagle (claude-pro.com).
  • File Hashes: SHA256 hashes for Remus samples and multiple MD5/SHA1/SHA256 hashes associated with aerospace-targeting ransomware payloads.

Operational Guidance: SOC teams should immediately blocklisted the domains at the perimeter and DNS layer. The file hashes should be loaded into EDR solutions for immediate quarantine. The ransomware hashes (SHA256: 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82, 180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38) indicate active extortion campaigns.

Detection Engineering

Sigma Rules

YAML
---
title: Remus Infostealer C2 Connection
id: 4a8b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects network connections to known Remus/Lumma Stealer C2 domains observed in OTX pulses.
status: experimental
date: 2026/05/10
author: Security Arsenal
logsource:
  category: network_connection\  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'forestoaker.com'
      - 'krondez.com'
      - 'baxe.pics'
      - 'vinte.online'
      - 'coox.live'
      - 'remnane.biz'
      - 'parky.pics'
  condition: selection
falsepositives:
  - Legitimate administrative access (unlikely)
level: critical
tags:
  - attack.command_and_control
  - attack.t1071
---
title: Beagle Backdoor Phishing Domain Access
id: b2c3d4e5-6f7a-4b8c-9d0e-1f2a3b4c5d6e
description: Detects DNS queries or HTTP connections to the fake Claude AI site distributing Beagle backdoor.
status: experimental
date: 2026/05/10
author: Security Arsenal
logsource:
  category: dns
  product: windows
detection:
  selection:
    QueryName|contains:
      - 'claude-pro.com'
      - 'license.claude-pro.com'
  condition: selection
falsepositives:
  - None
level: high
tags:
  - attack.initial_access
  - attack.t1566
---
title: Aerospace Ransomware Payload Execution
id: c3d4e5f6-7a8b-4c9d-0e1f-2a3b4c5d6e7f
description: Detects execution of file hashes associated with LockBit/Cl0p activity targeting aerospace.
status: experimental
date: 2026/05/10
author: Security Arsenal
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains: '.exe'
    Hashes|contains:
      - '7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82'
      - '180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38'
  condition: selection
falsepositives:
  - None
level: critical
tags:
  - attack.execution
  - attack.t1204

KQL Hunt Queries (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Remus/Beagle C2 domains in Network Events
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("forestoaker.com", "krondez.com", "baxe.pics", "claude-pro.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType

// Hunt for known ransomware/stealer file hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in ("b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d", "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82", "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell IOC Hunt Script

PowerShell
# Hunt for Remus/Beagle Domains in DNS Cache and Hosts File
Write-Host "Checking DNS Cache for malicious domains..."
$domains = @("forestoaker.com", "krondez.com", "claude-pro.com")

Get-DnsClientCache | Where-Object { $domains -contains $_.Entry } | Select-Object Entry, Data, TimeToLive

Write-Host "Checking Hosts file..."
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $hostsPath) {
    $content = Get-Content $hostsPath
    foreach ($domain in $domains) {
        if ($content -match $domain) {
            Write-Host "[!] Suspicious entry found in hosts file for: $domain" -ForegroundColor Red
        }
    }
}

# Check for specific file hashes in user directories (recursive scan limited to common folders)
Write-Host "Scanning for malicious hashes in user profiles..."
$hashes = @(
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82"
)

$paths = @("C:\Users\Public\Downloads", "C:\Users\*, "C:\Windows\Temp")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $hashes -contains $_.Hash } | Select-Object Path, Hash
    }
}

Response Priorities

  • Immediate: Block all listed domains at the proxy and DNS firewall. Quarantine endpoints identified via the file hash queries.
  • 24h: Conduct credential resets for users who may have interacted with the Remus infostealer or the fake Claude site (Beagle). Review logs for evidence of data exfiltration.
  • 1 week: Audit third-party access controls for aerospace and supply chain partners. Implement stricter code-signing policies to prevent DLL sideloading similar to the G DATA updater exploit.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlumma-stealeraerospace-ransomwarebeagle-backdoormalvertisingsupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action