Back to Intelligence

Remus Stealer, Aerospace Extortion, and Beagle Backdoor: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 10, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a convergence of high-risk threat activities targeting enterprise sectors through evolved malware families and sophisticated social engineering. The threat landscape is dominated by the re-emergence of the Lumma Stealer family as the 64-bit Remus variant, utilizing Ethereum blockchain-based C2 (EtherHiding) to evade takedowns. Simultaneously, nation-state and cybercriminal syndicates including LockBit, Cl0p, and APT groups like Refined Kitten are intensifying pressure on global aerospace supply chains, focusing on data extortion and espionage. In a third vector, a malvertising campaign impersonating Anthropic's Claude AI is distributing the Beagle backdoor via DLL sideloading, exploiting trusted G DATA binaries.

Threat Actor / Malware Profile

1. Remus (Lumma Stealer 64-bit Variant)

  • Origin: Emerged following the takedown of Lumma Stealer and doxxing of its core members in early 2026.
  • Distribution: Shifts from Steam/Telegram dead drops to EtherHiding techniques, leveraging blockchain transactions to hide C2 addresses.
  • Payload Behavior: 64-bit infostealer targeting sensitive data, cryptocurrency wallets, and browser credentials.
  • Anti-Analysis: Employs new checks to detect analysis environments and evade sandboxing.

2. Aerospace Extortion Syndicates

  • Actors: LockBit, Cl0p, Refined Kitten, Wicked Panda, Fancy Bear.
  • Objective: Data extortion and espionage against critical infrastructure, specifically Aerospace, Transportation, and Defense.
  • Attack Vector: Identity-based intrusions, ransomware deployment, and exploitation of complex third-party dependencies in shared IT platforms.

3. Beagle Backdoor & DonutLoader

  • Campaign: "Donuts and Beagles" – Malvertising targeting AI enthusiasts.
  • Distribution: Fraudulent site claude-pro[.]com mimicking Anthropic's Claude. Delivers a 505MB ZIP archive named "Claude-Pro Relay".
  • Execution Chain: DLL Sideloading. Exploits a signed G DATA antivirus updater (gup.exe) to load the malicious payload via DonutLoader shellcode.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple categories requiring immediate operationalization:

  • Domains:
    • Remus C2/Infrastructure: forestoaker.com, krondez.com, baxe.pics, vinte.online, coox.live, remnane.biz, parky.pics. Notable use of TLDs like .pics and .live often associated with transient infrastructure.
    • Beagle C2: claude-pro.com, license.claude-pro.com.
  • File Hashes:
    • Remus: b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d (SHA256).
    • Aerospace Campaigns: Multiple MD5, SHA1, and SHA256 hashes associated with data extortion payloads (e.g., 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82).

SOC Operationalization:

  • Blocklist: Immediate ingestion of all listed domains into DNS firewall and Secure Web Gateways (SWG).
  • EDR/Hunting: Use file hashes to scan historical data for evidence of compromise prior to detection. The 505MB file size for the Beagle payload is a strong anomaly hunting criterion.

Detection Engineering

Sigma Rules

YAML
title: Potential Remus Stealer C2 Activity
id: 8f2a3b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c
description: Detects network connections to known Remus Stealer C2 domains and suspicious TLD usage associated with infostealers.
status: experimental
date: 2026/05/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64bit-lumma/
tags:
    - attack.command_and_control
    - attack.exfiltration
logsource:
    category: network_connection
detection:
    selection:
        initiated|equals: true
    filter:
        destination|contains:
            - 'forestoaker.com'
            - 'krondez.com'
            - 'baxe.pics'
            - 'vinte.online'
            - 'coox.live'
            - 'remnane.biz'
            - 'parky.pics'
    condition: selection and filter
falsepositives:
    - Unknown
level: critical
---
title: Fake Claude AI Site / Beagle Backdoor Activity
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
description: Detects connections to the malicious claude-pro.com domain or the hostname used for license validation.
status: experimental
date: 2026/05/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/donuts-beagles/
tags:
    - attack.initial_access
    - attack.supply_chain
logsource:
    category: dns
detection:
    selection:
        query|contains:
            - 'claude-pro.com'
    condition: selection
falsepositives:
    - Legitimate traffic to Anthropic (unlikely to use .com pro subdomain)
level: high
---
title: Beagle Backdoor DLL Sideloading via G DATA Updater
id: b2c3d4e5-f6a7-8901-2345-678901bcdef
description: Detects suspicious process execution where a signed G DATA updater loads unsigned DLLs or spawns unexpected child processes typical of DonutLoader.
status: experimental
date: 2026/05/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/donuts-beagles/
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: process_creation
detection:
    selection_parent:
        ParentImage|contains: 'gup.exe'
    selection_img:
        Image|endswith:
            - 'powershell.exe'
            - 'cmd.exe'
            - 'rundll32.exe'
    condition: selection_parent and selection_img
falsepositives:
    - Legitimate G DATA updates (rarely spawn these)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Remus and Beagle Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", 
    "coox.live", "remnane.biz", "parky.pics", "claude-pro.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType
| extend IOCType = "C2_Domain"
;
// Hunt for File Hashes associated with Aerospace Extortion and Remus
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82",
    "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38"
) 
or MD5 in (
    "95daa771a28eaed76eb01e1e8f403f7c",
    "5e1f61b9c1c27cad3b7a81c804ac7b86"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5, InitiatingProcessAccountName
| extend IOCType = "Malware_Hash"
;
// Hunt for suspicious G DATA updater behavior (Beagle)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "gup.exe" and 
   (ProcessVersionInfoInternalFileName in ("powershell.exe", "cmd.exe") or ProcessVersionInfoOriginalFileName in ("powershell.exe", "cmd.exe"))
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Remus, Beagle, and Aerospace Indicators
$RemusDomains = @("forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "parky.pics")
$BeagleDomains = @("claude-pro.com", "license.claude-pro.com")
$TargetHashes = @(
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82"
)

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache | Where-Object { $RemusDomains -contains $_.Entry -or $BeagleDomains -contains $_.Entry }
if ($DnsCache) { 
    Write-Host "[!] Suspicious DNS Entries Found:" -ForegroundColor Red
    $DnsCache | Format-Table Name, Type, Data, TimeToLive
} else {
    Write-Host "[-] No suspicious DNS cache entries found." -ForegroundColor Green
}

Write-Host "[+] Checking Hosts file for malicious domains..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in ($RemusDomains + $BeagleDomains)) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] Suspicious entry found in hosts file for: $Domain" -ForegroundColor Red
        }
    }
}

Write-Host "[!] Note: Full disk hash scan requires EDR integration. Checking recent downloads..." -ForegroundColor Cyan
$UserDownloads = "$env:USERPROFILE\Downloads"
if (Test-Path $UserDownloads) {
    Get-ChildItem -Path $UserDownloads -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 500MB -and $_.Name -like "*.zip" } | 
    ForEach-Object {
        Write-Host "[!] Large ZIP file found (Potential Beagle payload): $($_.FullName)" -ForegroundColor Yellow
    }
}

Response Priorities

  • Immediate: Block all listed domains (forestoaker.com, krondez.com, claude-pro.com, etc.) at the DNS proxy and firewall level. Initiate hunts for the specific file hashes provided in the IOC Analysis.
  • 24 Hours: Verify identity and session integrity for users who may have interacted with infostealers (Remus) or fake AI tools (Beagle). Reset credentials for users with confirmed IOC hits.
  • 1 Week: Conduct a review of supply chain access and third-party dependencies, specifically for aerospace and defense sectors. Implement stricter application allowlisting to prevent DLL sideloading attacks involving signed binaries like G DATA.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptremus-stealeraerospace-extortionbeagle-backdoormalvertisingapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action