Back to Intelligence

Remus Stealer & Gamaredon GammaSteel: OTX Pulse Analysis — Credential Theft & RAT Campaigns

SA
Security Arsenal Team
June 5, 2026
7 min read

Recent OTX pulses reveal a surge in sophisticated credential theft and Remote Access Trojan (RAT) campaigns. The most notable development is the emergence of Remus, an evolution of Lumma Stealer capable of bypassing Application-Bound Encryption in modern browsers, directly threatening enterprise password managers and stored sessions. Concurrently, the Gamaredon group (FSB-linked) continues its cyberespionage against Ukraine with GammaSteel, utilizing memory-resident payloads stored in the registry. Meanwhile, broad-spectrum campaigns like Argamal (hidden in cracked games) and CloudZ (exploiting Microsoft Phone Link) demonstrate threat actors diversifying delivery vectors to harvest OTPs, cookies, and cryptocurrency keys. A complex Traffic Distribution System (TDS) is also facilitating the distribution of families like SessionGate and RemusStealer via SEO poisoning of developer tools.

Threat Actor / Malware Profile

  • Argamal / Termixia: Distributed via adult gaming (hentai) installers. Uses COM Hijacking for persistence by modifying the InprocServer32 entry for the Windows Color System Calibration Loader DLL. Delays execution (several days) before downloading a RAT.
  • Remus Stealer: A 64-bit infostealer evolved from Lumma Stealer (post-doxxing 2025). Specializes in bypassing browser Application-Bound Encryption (ABE) to extract cookies and saved credentials. Targets cryptocurrency wallets and session tokens.
  • GammaSteel (Gamaredon / UAC-0010): A stealer utilized by the Russian FSB-backed group Gamaredon. Operates entirely in memory, using Windows DPAPI for encryption. Persists via the HKCU\Printers registry key where it stores 71 payload functions. Propagates via USB (GammaWorm) to target air-gapped or restricted networks in Ukraine.
  • CloudZ RAT + Pheno: Active since Jan 2026. Uses an undocumented plugin (Pheno) to exploit the Microsoft Phone Link application. It intercepts synchronized mobile data (SMS, OTPs) without infecting the phone itself, bypassing traditional MFA controls. Employs dynamic memory allocation to evade detection.
  • SessionGate / RemusStealer / AnimateClipper: Distributed via a sophisticated TDS ecosystem that impersonates legitimate open-source tools (Ghidra, dnSpy). Features include "click hijacking" and cryptocurrency clipboard replacement.

IOC Analysis

The provided indicators include:

  • File Hashes: Multiple SHA1 and SHA256 hashes associated with Argamal, CloudZ, and the TDS droppers. These should be blocked at the endpoint and used to retrospectively scan EDR telemetry.
  • Network Infrastructure: IPs and domains (e.g., asper1.freeddns.org, guiformat.com, 165.22.170.129) used for C2 and payload delivery.
  • URLs: Direct download links to malicious payloads, often hosted on compromised infrastructure or CloudFront.
  • CVE: CVE-2026-3102 referenced in the Argamal campaign implies a potential exploitation path for initial access or privilege escalation.

Operationalization: SOC teams should immediately ingest these IPs and domains into network firewalls and Secure Web Gateways (SWG). File hashes must be uploaded to EDR solutions (CrowdStrike, SentinelOne, etc.) for blacklisting. The URLs, particularly those ending in .rtf or hosted on suspicious TLDs (.cyou, .pics), should be used in SIEM correlation rules to detect access attempts.

Detection Engineering

YAML
---
title: Potential Argamal COM Hijacking Persistence
id: 2628f7a2-6b89-4d1f-9c3e-5b4d7e8f9a0e
status: experimental
description: Detects persistence mechanism used by Argamal malware via COM hijacking of the Windows Color System Calibration Loader.
references:
    - https://otx.alienvault.com/pulse/6266789f8b67460b681b4560/
author: Security Arsenal
date: 2026/06/05
modified: 2026/06/05
tags:
    - attack.persistence
    - attack.t1574.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'CLSID'
        TargetObject|contains: 'InprocServer32'
        Details|contains: 'dll'
    filter_legit:
        Details|contains: 'C:\\Windows\\System32\\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate software installation altering COM components
level: high
---
title: Gamaredon GammaSteel Registry Persistence
id: 3e7f1a2b-8c6d-4e9f-9a0b-1c2d3e4f5a6b
status: experimental
description: Detects Gamaredon Group GammaSteel malware storing payload functions in the HKCU\Printers registry key.
references:
    - https://otx.alienvault.com/pulse/6266789f8b67460b681b4561/
author: Security Arsenal
date: 2026/06/05
modified: 2026/06/05
tags:
    - attack.persistence
    - attack.t1114.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Printers\\'
        Details|re: '[a-zA-Z0-9]{100,}'
    condition: selection
falsepositives:
    - Legitimate printer driver installations
level: high
---
title: Remus Stealer Browser Credential Theft
id: 4f8b2c3d-9d7e-5f0a-0b1c-2d3e4f5a6b7c
status: experimental
description: Detects suspicious processes attempting to access browser Login Data or Local State files, indicative of credential theft like Remus Stealer bypassing Application-Bound Encryption.
references:
    - https://otx.alienvault.com/pulse/6266789f8b67460b681b4562/
author: Security Arsenal
date: 2026/06/05
modified: 2026/06/05
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    product: windows
    category: file_access
detection:
    selection:
        TargetFilename|contains:
            - '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data'
            - '\\AppData\\Local\\Google\\Chrome\\User Data\\Local State'
            - '\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data'
            - '\\AppData\\Local\\Microsoft\\Edge\\User Data\\Local State'
    filter_browser:
        Image|endswith:
            - '\\chrome.exe'
            - '\\msedge.exe'
    condition: selection and not filter_browser
falsepositives:
    - Legitimate backup utilities or password managers
level: medium


kql
// Hunt for GammaSteel Registry Artifacts
DeviceRegistryEvents
| where RegistryKey contains @"Software\Microsoft\Windows NT\CurrentVersion\Printers"
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName
| order by Timestamp desc

// Hunt for Argamal C2 Network Connections
DeviceNetworkEvents
| where RemotePort in (80, 443, 8080)
| where RemoteIP has_any ("194.150.220.218", "217.156.122.75", "165.22.170.129")
   or RemoteUrl has_any ("asper1.freeddns.org", "guiformat.com", "forestoaker.com", "arch2.maxdatahost1.cyou")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// Hunt for CloudZ RAT File Execution (Based on IOCs)
DeviceFileEvents
| where SHA256 has_any (
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
    "24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54",
    "33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98",
    "65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac",
    "ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc


powershell
# IOC Hunt Script for GammaSteel and Argamal Artifacts
# Requires Administrator Privileges

Write-Host "[*] Starting IOC Hunt for GammaSteel and Argamal..." -ForegroundColor Cyan

# 1. Check for GammaSteel Registry Persistence (HKCU\Printers)
Write-Host "[+] Checking HKCU\Printers for suspicious values..." -ForegroundColor Yellow
try {
    $printerKeys = Get-ChildItem "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Printers" -Recurse -ErrorAction Stop
    foreach ($key in $printerKeys) {
        $values = Get-ItemProperty $key.PSPath -ErrorAction SilentlyContinue
        foreach ($prop in $values.PSObject.Properties) {
            if ($prop.Name -ne "PSPath" -and $prop.Name -ne "PSParentPath" -and $prop.Name -ne "PSChildName") {
                # Check for long binary strings typical of payloads
                if ($prop.Value -is [string] -and $prop.Value.Length -gt 50) {
                    Write-Host "ALERT: Suspicious value found in $($key.Name)\$($prop.Name)" -ForegroundColor Red
                    Write-Host "Value: $($prop.Value.Substring(0, [Math]::Min(50, $prop.Value.Length)))..." -ForegroundColor DarkRed
                }
            }
        }
    }
} catch {
    Write-Host "No Printers key found or access denied." -ForegroundColor Gray
}

# 2. Check for Argamal COM Hijacking (Windows Color System)
Write-Host "[+] Checking for COM Hijacking in Windows Color System..." -ForegroundColor Yellow
# Search for InprocServer32 modifications under MSCMS related keys
try {
    Get-ChildItem "HKCR:\CLSID" -Recurse -ErrorAction Stop | Where-Object {
        $_.GetSubKeyNames() -contains "InprocServer32"
    } | ForEach-Object {
        $clsidPath = $_.PSPath
        $inprocPath = Join-Path $clsidPath "InprocServer32"
        
        # Check default value
        $defaultVal = (Get-ItemProperty $inprocPath -ErrorAction SilentlyContinue)."(default)"
        
        # Generic check for non-system32 dlls in calibration related CLSIDs or suspicious paths
        if ($defaultVal -match "dll" -and $defaultVal -notmatch "System32" -and $defaultVal -notmatch "SysWOW64") {
             Write-Host "ALERT: Potential COM Hijacking at $inprocPath" -ForegroundColor Red
             Write-Host "Value: $defaultVal" -ForegroundColor Red
        }
    }
} catch {
    Write-Host "Error scanning CLSIDs." -ForegroundColor Gray
}

Write-Host "[*] Hunt complete." -ForegroundColor Green

Response Priorities

  • Immediate:
    • Block all listed IOCs (IPs, Domains, Hashes) at the perimeter and endpoint.
    • Hunt for registry modifications in HKCU\Printers and COM Hijacking artifacts related to msacm32.dll.
    • Isolate hosts showing signs of CloudZ RAT (interaction with Phone Link processes) or Argamal execution.
  • 24h:
    • Initiate credential resets for accounts accessed from infected endpoints.
    • Review logs for access to the TDS domains (e.g., guiformat.com) to identify users who may have downloaded SessionGate or RemusStealer.
    • Analyze browser cookie exports if Remus infection is suspected.
  • 1 week:
    • Review and restrict the use of Microsoft Phone Link in the environment.
    • Implement application allowlisting (AppLocker/WDAC) to prevent unsigned game execution (Argamal vector) and unauthorized developer tools (TDS vector).
    • Conduct user awareness training regarding "cracked" software and the risks of browser extension piracy.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsremus-stealerargamal-ratgammasteelcloudz-ratinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action