Recent OTX pulse data indicates a convergence of high-impact threats targeting enterprise environments. The primary vectors include the emergence of Remus, a 64-bit evolution of the Lumma Stealer utilizing EtherHiding for C2; intensified data extortion campaigns against the aerospace and defense sectors by ransomware cartels (LockBit, Cl0p) and nation-state actors (Fancy Bear, Wicked Panda); and a new Beagle backdoor campaign leveraging AI-themed lures (fake Claude AI site) and DLL sideloading. These campaigns collectively demonstrate a shift towards blockchain-based obfuscation, supply chain exploitation, and trusted-impersonation tactics.
Threat Actor / Malware Profile
Remus Stealer (Lumma 64-bit Variant)
- Family: Infostealer (Tenzor/Lumma lineage).
- Distribution: Initial access via compromised sites switching from Steam/Telegram dead drops to EtherHiding (concealing malicious payloads in blockchain transactions).
- Behavior: Information theft (crypto wallets, cookies, credentials). Incorporates new anti-analysis checks to evade sandboxing.
- C2: Uses blockchain-related domains for infrastructure (e.g.,
forestoaker.com,krondez.com).
Beagle Backdoor / DonutLoader
- Family: Backdoor, Loader.
- Distribution: Malvertising campaign impersonating Anthropic's Claude AI. Payload delivered as "Claude-Pro Relay" via a ZIP archive.
- Behavior: Utilizes DLL sideloading to exploit a signed G DATA antivirus updater, effectively bypassing signature checks.
- C2: Communicates with
claude-pro.cominfrastructure.
Aerospace Extortion Groups
- Actors: LockBit, Cl0p, Refined Kitten, Wicked Panda, Fancy Bear.
- Motivation: Data extortion and espionage.
- Targeting: Critical infrastructure, specifically shared airport IT platforms and aviation supply chains.
- Techniques: Identity-based intrusions and platform-level disruptions.
IOC Analysis
The provided indicators of compromise (IOCs) include:
- Domains: Specific C2 and distribution domains for Remus (
forestoaker.com,baxe.pics) and Beagle (claude-pro.com). - File Hashes: SHA256 hashes for the Remus payload (
b037fa1dd7...) and various aerospace-related extortion tools.
Operational Guidance:
- SOC Teams: Immediately block the listed domains at the network perimeter and proxy level.
- EDR: Configure immediate isolation alerts for endpoints matching the provided file hashes.
- Threat Intel: Integrate these hashes into threat hunting platforms to scan for historical presence.
Detection Engineering
YAML
---
title: Potential Remus Stealer C2 Connection
id: 2c1d3f4a-5b6e-7c8d-9e0f-1a2b3c4d5e6f
description: Detects network connections to domains associated with the Remus (64-bit Lumma) stealer campaign utilizing EtherHiding.
status: experimental
author: Security Arsenal
date: 2026/05/09
references:
- https://otx.alienvault.com/pulse/6123456789abcdef
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
detection:
selection:
destination|contains:
- forestoaker.com
- krondez.com
- baxe.pics
- vinte.online
- coox.live
- remnane.biz
- parky.pics
condition: selection
falsepositives:
- Unknown
level: high
---
title: Fake Claude AI Site DNS Resolution
id: 3d2e4f5a-6c7d-8e9f-0a1b-2c3d4e5f6a7b
description: Detects DNS queries to the malicious claude-pro.com domain associated with Beagle backdoor distribution.
status: experimental
author: Security Arsenal
date: 2026/05/09
references:
- https://otx.alienvault.com/pulse/9876543210fedcba
tags:
- attack.initial_access
- attack.t1566.002
logsource:
category: dns
detection:
selection:
query|contains:
- claude-pro.com
- license.claude-pro.com
condition: selection
falsepositives:
- Legitimate access to Anthropic (unlikely given TLD)
level: critical
---
title: Malicious File Hash Detection - Remus & Aerospace Campaigns
id: 4e3f5a6b-7d8e-9f0a-1b2c-3d4e5f6a7b8c
description: Detects the presence of specific file hashes identified in OTX pulses for Remus infostealer and Aerospace extortion campaigns.
status: experimental
author: Security Arsenal
date: 2026/05/09
references:
- https://otx.alienvault.com/pulse/1122334455667788
tags:
- attack.impact
- attack.t1566.001
logsource:
category: file_event
detection:
selection:
hash|contains:
- b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d
- 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82
- 180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38
condition: selection
falsepositives:
- None
level: critical
kql
// KQL Hunt for Remus and Beagle IOCs
let RemusDomains = dynamic(["forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "parky.pics"]);
let BeagleDomains = dynamic(["claude-pro.com", "license.claude-pro.com"]);
let MaliciousHashes = dynamic(["b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d", "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82", "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38"]);
// Network Connections to C2
DeviceNetworkEvents
| where RemoteUrl in (RemusDomains) or RemoteUrl in (BeagleDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
DeviceFileEvents
| where SHA256 in MaliciousHashes
| project Timestamp, DeviceName, SHA256, FileName, FolderPath
)
powershell
# PowerShell Hunt Script for Remus & Aerospace Malware Hashes
$maliciousHashes = @(
"b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
"7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82",
"180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38"
)
Write-Host "[+] Scanning for specific IOCs..." -ForegroundColor Cyan
# Scan C: drive for file hashes
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll, *.zip |
ForEach-Object {
$hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($maliciousHashes -contains $hash.Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
Write-Host " SHA256: $($hash.Hash)" -ForegroundColor DarkRed
}
}
# Check DNS Cache for Malicious Domains
$domains = @("forestoaker.com", "claude-pro.com", "krondez.com")
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($dnsCache) {
foreach ($domain in $domains) {
$matches = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
if ($matches) {
Write-Host "[!] SUSPICIOUS DNS CACHE ENTRY FOUND for $domain" -ForegroundColor Yellow
}
}
}
# Response Priorities
* **Immediate (0-4h)**:
* Block all listed domains (`forestoaker.com`, `claude-pro.com`, etc.) at firewalls, proxies, and DNS resolvers.
* Isolate any endpoints with hits on the provided file hashes.
* Hunt for the G DATA updater process spawning suspicious child processes (Beagle indicator).
* **24 Hours**:
* Conduct credential audits for identities accessing aerospace/supply chain systems (due to infostealer risk).
* Review logs for interactions with "Claude-Pro Relay" or similar AI-themed file downloads.
* **1 Week**:
* Harden supply chain access controls and review third-party dependencies for the aviation sector.
* Update application allowlisting policies to prevent execution of unsigned binaries masquerading as AI tools.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptremus-stealerbeagle-backdooraerospace-aptinfostealersupply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.