Back to Intelligence

Remus Stealer & Beagle Backdoor: Aerospace Extortion & AI-Themed Threats — OTX Pulse Analysis

SA
Security Arsenal Team
May 9, 2026
5 min read

Current OTX Pulse data indicates a sophisticated convergence of infostealing evolution, AI-themed social engineering, and persistent nation-state-aligned extortion targeting critical infrastructure.

The Lumma Stealer family has rebranded and evolved into Remus, a 64-bit variant utilizing EtherHiding (blockchain-based C2) to evade traditional takedowns. Concurrently, threat actors are exploiting interest in generative AI via a fraudulent Claude-Pro site distributing the Beagle backdoor using DLL sideloading techniques. Finally, the Aerospace and Defense sectors are under active siege by a coalition of threat actors (LockBit, Cl0p, Fancy Bear) utilizing data extortion and ransomware to disrupt supply chains.

Collectively, these pulses reveal a shift toward blockchain-powered resilience in malware C2 and the weaponization of AI hype for initial access.

Threat Actor / Malware Profile

1. Remus (Lumma Stealer 64-bit Variant)

  • Family: Infostealer / Tenzor
  • Distribution: Likely via malicious cracked software or SEO poisoning (legacy Lumma vectors), now utilizing EtherHiding for C2.
  • Behavior: Steals sensitive data, crypto-wallets, and browser cookies. Capable of bypassing Application-Bound Encryption (ABE) to exfiltrate session tokens.
  • C2 Communication: Uses domains (e.g., forestoaker.com) and integrates with Ethereum smart contracts for command retrieval.
  • Anti-Analysis: Includes new anti-analysis checks to detect sandbox environments.

2. Beagle Backdoor & DonutLoader

  • Family: Backdoor / Loader
  • Distribution: Malvertising campaign targeting users seeking Anthropic's Claude AI. Delivered via a fake claude-pro.com site as a malicious ZIP archive.
  • Behavior: Uses DLL Sideloading via a legitimate signed G DATA antivirus updater to load the Beagle backdoor.
  • Persistence: Established via the sideloading mechanism, ensuring execution alongside the legitimate updater.

3. Aerospace Extortion Syndicate

  • Actors: LockBit, Cl0p, Refined Kitten, Wicked Panda, Fancy Bear.
  • Targeting: Aerospace, Transportation, Defense.
  • Objective: Data extortion and espionage via ransomware deployment and identity-based intrusions.

IOC Analysis

The provided IOCs offer high-fidelity detection opportunities:

  1. Network IOCs (Domains): The Remus and Beagle campaigns rely on specific domains for C2 and delivery. Blocking claude-pro.com and the list of Remus C2 domains (forestoaker.com, krondez.com, etc.) is immediately effective.
  2. File Hashes: Pulse 2 provides specific hashes associated with ransomware payloads targeting the aerospace sector. These include MD5, SHA1, and SHA256 hashes (e.g., 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82).
  3. Operationalization:
    • EDR: Correlate network connections to the listed domains with process execution.
    • SIEM: Use the SHA256 hashes to hunt for file creation events on endpoints.
    • DNS: Monitor for DNS queries to the listed domains, specifically claude-pro.com and the Remus list.

Detection Engineering

YAML
---
title: Remus Stealer C2 Domain Detection
id: 9c6e5e2e-5f1a-4b2c-8e3d-1a2b3c4d5e6f
description: Detects DNS queries associated with Remus (Lumma Stealer) C2 infrastructure.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/64bit-lumma/
tags:
    - attack.command_and_control
    - attack.t1071.004
logsource:
    category: dns
product: windows
detection:
    selection:
        query|contains:
            - 'forestoaker.com'
            - 'krondez.com'
            - 'baxe.pics'
            - 'vinte.online'
            - 'coox.live'
            - 'remnane.biz'
            - 'parky.pics'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Beagle Backdoor Fake Claude Site Access
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects DNS queries to the fraudulent Claude-Pro site distributing Beagle backdoor.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/donuts-beagles/
tags:
    - attack.initial_access
    - attack.t1566.002
logsource:
    category: dns
product: windows
detection:
    selection:
        query|contains:
            - 'claude-pro.com'
    condition: selection
falsepositives:
    - Legitimate access to Claude (unlikely for this specific domain)
level: high
---
title: Aerospace Ransomware Payload Detection
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects file creation events matching known ransomware hashes from the aerospace extortion pulse.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/aerospace-extortion/
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: file_event
product: windows
detection:
    selection:
        sha256|contains:
            - '7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82'
            - '180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38'
    condition: selection
falsepositives:
    - Rare
level: critical


kql
// KQL for Microsoft Sentinel
// Hunt for Remus and Beagle C2 Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (
    'forestoaker.com', 'krondez.com', 'baxe.pics', 'vinte.online', 
    'coox.live', 'remnane.biz', 'parky.pics', 'claude-pro.com'
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend ThreatActor = iif(RemoteUrl contains 'claude', 'Beagle/Claude-Impersonator', 'Remus/Lumma-Stealer')
| summarize count() by ThreatActor, DeviceName

// Hunt for Aerospace Ransomware Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    '7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82',
    '180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38'
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
# PowerShell IOC Hunt Script
# Checks Hosts file for malicious domains and scans User directories for specific hashes

$MaliciousDomains = @(
    'forestoaker.com', 'krondez.com', 'baxe.pics', 'vinte.online',
    'coox.live', 'remnane.biz', 'parky.pics', 'claude-pro.com', 'license.claude-pro.com'
)

$TargetHashes = @(
    '7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82',
    '180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38'
)

Write-Host "[+] Checking Hosts file for malicious domains..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] ALERT: Domain $Domain found in hosts file!" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Scanning User Profiles for known ransomware hashes (This may take time)..." -ForegroundColor Cyan
$UserPaths = @("C:\Users\*")

Get-ChildItem -Path $UserPaths -Include *.exe, *.dll, *.bin -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
    $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($TargetHashes -contains $Hash) {
        Write-Host "[!] CRITICAL: Malicious file found: $($_.FullName)" -ForegroundColor Red
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

  • Immediate (0-4h):
    • Block all listed domains (claude-pro.com, Remus C2 list) at the proxy/DNS firewall level.
    • Initiate a hunt for the SHA256 hashes provided in the Aerospace pulse on all endpoints.
  • 24h:
    • If credential-stealing malware (Remus/Lumma) is suspected, force a password reset for sensitive accounts and invalidate session tokens (especially those protected by Application-Bound Encryption).
    • Investigate any systems that resolved claude-pro.com for DLL sideloading artifacts in %ProgramData% or %Temp%.
  • 1 Week:
    • Review and harden supply chain access controls for Aerospace/Defense sectors.
    • Deploy user awareness training specifically regarding AI-themed social engineering and fake software sites.
    • Analyze network logs for signs of EtherHiding (interactions with blockchain nodes) indicative of next-gen C2.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlumma-stealerbeagle-backdooraerospace-aptremus-malwareetherhiding

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action