Back to Intelligence

Remus Infostealer v2, Beagle Backdoor, and Aerospace Extortion: OTX Pulse Analysis

SA
Security Arsenal Team
May 10, 2026
6 min read

Recent OTX pulses indicate a significant evolution in the infostealer and ransomware landscape, specifically targeting high-value sectors and leveraging emerging delivery vectors.

  1. Remus Stealer (Lumma Variant): Following the takedown of Lumma Stealer and the doxxing of its core team, a new 64-bit variant named "Remus" has emerged. Active since February 2026, it shifts from traditional Steam/Telegram dead drop resolvers to "EtherHiding" (blockchain-based C2) to evade takedowns. It utilizes application-bound encryption bypasses to exfiltrate sensitive data.

  2. Aerospace Supply Chain Attacks: Nation-state and cyber-criminal actors (LockBit, Cl0p, Fancy Bear, Refined Kitten) are intensifying pressure on global aerospace, transportation, and defense industries. The threat landscape is dominated by ransomware and data extortion, exploiting complex third-party dependencies and shared IT platforms.

  3. Beagle Backdoor Campaign: A malvertising campaign is distributing a new backdoor, "Beagle," via a fraudulent website impersonating Anthropic's Claude AI (claude-pro[.]com). The attack chain involves downloading a "Claude-Pro Relay" tool and employing DLL sideloading using a signed G DATA antivirus updater to bypass security controls.

Threat Actor / Malware Profile

Remus (Lumma Stealer 64-bit)

  • Type: Infostealer
  • Attribution: Successor to Lumma Stealer (Tenzor).
  • Distribution: Malvertising, cracked software sites; previously Steam/Telegram dead drops, now utilizing EtherHiding.
  • C2 Communication: Blockchain-based command and control (using Ethereum smart contracts) to obscure infrastructure.
  • Capabilities: Steals browser cookies, passwords, cryptocurrency wallets; bypasses application-bound encryption (e.g., Chrome "Store encrypted data").
  • Anti-Analysis: Includes new checks to evade sandboxing.

Beagle Backdoor

  • Type: Backdoor / RAT
  • Distribution: Malvertising, SEO poisoning (Fake Claude AI site).
  • Execution: DLL Sideloading via a signed G DATA updater binary.
  • Payload: Delivered via a 505MB ZIP archive containing a fake "Claude-Pro Relay" tool.
  • Capabilities: Remote access, likely reconnaissance and lateral movement (similar to PlugX/Korplug families mentioned in context).

Aerospace Extortion Groups

  • Actors: LockBit, Cl0p, Fancy Bear (APT28), Refined Kitten (APT41).
  • Motivation: Financial extortion and espionage.
  • TTPs: Supply chain compromise, identity-based intrusions, platform-level disruptions.

IOC Analysis

The provided pulses offer a mix of network and file-based indicators:

  • Domains:
    • forestoaker.com, krondez.com, baxe.pics, coox.live, remnane.biz, parky.pics (Remus C2/Distribution).
    • claude-pro.com, license.claude-pro.com (Beagle C2/Distribution).
    • Action: These should be immediately blocked at the perimeter (DNS Firewall / Proxy) and added to blocklists.
  • File Hashes:
    • Multiple MD5, SHA1, and SHA256 hashes associated with Remus and Aerospace extortion payloads (e.g., b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d).
    • Action: Use EDR solutions to hunt for these specific hashes on endpoints.
  • Operationalization: SOC teams should ingest these IOCs into SIEM (e.g., Splunk, Sentinel) to correlate against DeviceProcessEvents (for hashes) and DeviceNetworkEvents (for domains).

Detection Engineering

Sigma Rules

YAML
---
title: Potential Remus Stealer C2 Activity
id: 4a8f7b12-3c2d-4f5e-8a1b-9c3d4e5f6a7b
description: Detects network connections to known Remus Stealer C2 and distribution domains identified in OTX pulses.
author: Security Arsenal
date: 2026/05/11
status: experimental
references:
    - https://otx.alienvault.com/pulse/64bit-lumma/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'forestoaker.com'
            - 'krondez.com'
            - 'baxe.pics'
            - 'coox.live'
            - 'remnane.biz'
            - 'parky.pics'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Beagle Backdoor DLL Sideloading via G DATA Updater
id: 5b9g8c23-4d3e-5g6f-9b2c-0d4e5f6a7b8c
description: Detects potential DLL sideloading where a suspicious process loads the G DATA Updater DLL, a technique observed in the Beagle backdoor campaign.
author: Security Arsenal
date: 2026/05/11
status: experimental
references:
    - https://otx.alienvault.com/pulse/beagle-claude/
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection_target:
        TargetImage|contains: '\GDUpdat.exe' # or specific DLL name if known
    selection_suspicious:
        SourceImage|contains:
            - 'AppData\\Local\\Temp'
            - 'Downloads'
            - 'claude-pro' # Based on campaign naming
    filter_legit:
        Signed: 'true'
        SourceImage|contains: 'G DATA'
    condition: selection_target and selection_suspicious and not filter_legit
falsepositives:
    - Legitimate G DATA updates from unusual paths (rare)
level: critical
---
title: Suspicious Process Spawn via Steam or Telegram
id: 6c0h9d34-5e4f-6h7g-0c3d-1e5f6g7h8i9j
description: Detects suspicious child processes (CMD, PowerShell, Regsvr32) spawned by Steam or Telegram, typical of infostealer dead drop resolvers like Remus/Lumma.
author: Security Arsenal
date: 2026/05/11
status: experimental
references:
    - https://otx.alienvault.com/pulse/64bit-lumma/
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains:
            - '\steam.exe'
            - '\telegram.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate user interaction using these platforms to launch scripts
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Remus C2 Connections and Beagle Domains
let RemusDomains = dynamic(['forestoaker.com', 'krondez.com', 'baxe.pics', 'coox.live', 'remnane.biz', 'parky.pics']);
let BeagleDomains = dynamic(['claude-pro.com', 'license.claude-pro.com']);
DeviceNetworkEvents
| where (RemoteUrl has_any (RemusDomains) or RemoteUrl has_any (BeagleDomains)) 
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| extend ThreatType = iff(RemoteUrl has_any (RemusDomains), "Remus Stealer C2", "Beagle Backdoor Infrastructure")

PowerShell Hunt Script

PowerShell
# IOC Hunt for Remus and Beagle Activity
# Requires Admin Privileges

Write-Host "Starting Threat Hunt: Remus & Beagle IOCs" -ForegroundColor Cyan

# 1. Check for Malicious File Hashes (Remus/Aerospace Payloads)
$MaliciousHashes = @( 
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d", 
    "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82",
    "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38"
)

Write-Host "Scanning for malicious file hashes..." -ForegroundColor Yellow
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($MaliciousHashes -contains $Hash) {
            Write-Host "[MALWARE FOUND] $($_.FullName) - Hash: $Hash" -ForegroundColor Red
        }
    }
}

# 2. Check Hosts File for Beagle/Remus Domains
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$SuspiciousDomains = @("claude-pro.com", "forestoaker.com", "krondez.com", "remnane.biz")

Write-Host "Checking Hosts file for suspicious domains..." -ForegroundColor Yellow
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Line in $HostsContent) {
        if (-not $Line.StartsWith("#") -and $Line.Trim() -ne "") {
            foreach ($Domain in $SuspiciousDomains) {
                if ($Line -like "*$Domain*") {
                    Write-Host "[HOSTS FILE MODIFICATION] Line: $Line" -ForegroundColor Red
                }
            }
        }
    }
}

Write-Host "Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate:
    • Block all listed Remus and Beagle domains at the DNS proxy and firewall level.
    • Scan all endpoints for the specific SHA256 file hashes provided in the IOC samples.
    • Investigate any processes loading GDUpdat.exe binaries outside of C:\Program Files or C:\Program Files (x86).
  • 24h:
    • Initiate credential reset for users who may have interacted with "Claude-Pro Relay" tools or suspicious Steam/Telegram links.
    • Review browser history and cookie stores on machines with detected Remus C2 traffic for signs of data exfiltration.
  • 1 Week:
    • Implement application control (AppLocker) to prevent unsigned binaries from executing in user directories (AppData, Downloads).
    • Harden aerospace/aviation supply chain access points with MFA verification and strict network segmentation.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptremus-stealerlumma-stealerbeagle-backdooraerospace-aptdll-sideloading

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action