Remus Stealer, Gamaredon GammaSteel, and CloudZ Pheno: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Threat Summary

Recent OTX Pulse data from 2026-06-07 highlights a dangerous convergence of financially motivated crimeware and state-sponsored espionage. The ecosystem is dominated by sophisticated information stealers evolving to bypass modern security controls. Notably, the Remus stealer (an evolution of Lumma) has been observed bypassing Application-Bound Encryption (ABE) in browsers to harvest credentials. Simultaneously, Gamaredon (FSB-linked) continues its relentless campaign against Ukrainian infrastructure using the memory-resident GammaSteel malware. In a separate development, the CloudZ RAT utilizing the Pheno plugin has been identified exploiting the Microsoft Phone Link application to intercept SMS OTPs without infecting the mobile device directly, signaling a shift toward abusing trusted OS bridges for credential theft.

Threat Actor / Malware Profile

Remus Stealer (Evolution of Lumma)

Type: Information Stealer
Distribution: Malvertising, crack sites, fake software downloads.
Behavior: A 64-bit stealer specifically designed to bypass browser Application-Bound Encryption (ABE). It targets cryptocurrency wallets and browser credentials. It utilizes "Etherhiding" for C2 communication, leveraging the Ethereum blockchain to hide command endpoints, making takedowns significantly harder.
Persistence: Typically achieved via scheduled tasks or registry run keys.

Gamaredon Group (UAC-0010) - GammaSteel

Type: Cyber Espionage / Infostealer
Target: Government, Defense, Critical Infrastructure (Ukraine).
Behavior: GammaSteel operates entirely in memory to avoid disk-based detection. It uses Windows DPAPI for encryption and stores 71 distinct payload functions within the Windows Registry under HKCU\Printers. It propagates via USB drives (GammaWorm).
Persistence: Registry keys (HKCU\Printers) and LNK files on removable media.

CloudZ RAT & Pheno Plugin

Type: Remote Access Trojan (RAT)
Behavior: CloudZ provides standard RAT capabilities, but the Pheno plugin adds a specific layer for credential theft. It exploits the Microsoft Phone Link feature, which syncs mobile data to the PC. Pheno reads synced SMS messages and OTPs from the local machine, bypassing the need to infect the phone itself.
Persistence: Dynamic memory execution to evade EDR.

IOC Analysis

The provided pulses offer concrete indicators for immediate defensive action:

Gamaredon Infrastructure:
- Domain/URL: justsstop.ru (Likely C2 or distribution).
- IPv4: 165.22.170.129 (VPS hosting C2).
- Action: Block all network traffic to this IP and domain immediately. This IP is associated with active FSB-sponsored espionage operations.
CloudZ RAT Payloads:
- Hashes: 7 SHA256/MD5/SHA1 hashes provided (e.g., 5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321).
- Action: Import these into EDR detection rules and scan historical file execution logs (last 30 days) to identify potential dormant infections or execution attempts.
Remus Stealer:
- TTP: While specific IOCs were restricted in the pulse, the focus on "Etherhiding" and ABE bypass suggests monitoring for unusual processes interacting with browser Local State files and Ethereum RPC endpoints.

Detection Engineering

YAML

---
id: 9a5e1f8d-7c4a-4a2b-9e0d-1f2a3b4c5d6e
title: Gamaredon GammaSteel Persistence via Printers Registry
status: experimental
description: Detects Gamaredon's GammaSteel malware storing payloads in HKCU\Printers registry key.
author: Security Arsenal
date: 2026/06/07
tags:
    - attack.persistence
    - attack.t1112
logsource:
    product: windows
    registry:
        event_id: 13
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Printers'
        Details|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Printers'
    condition: selection
falsepositives:
    - Legitimate printer driver installation (rare in HKCU context)
level: high
---
id: b6f4e2d1-8a3c-4b1d-9f1e-2a3b4c5d6e7f
title: Suspicious Access to Microsoft Phone Link Databases
status: experimental
description: Detects processes accessing Phone Link database files, indicative of CloudZ Pheno OTP theft.
author: Security Arsenal
date: 2026/06/07
tags:
    - attack.credential_access
    - attack.t1005
logsource:
    product: windows
    category: file_access
detection:
    selection:
        TargetFilename|contains: 'Microsoft.YourPhone'
        TargetFilename|contains: '.db'
    filter:
        Image|endswith:
            - '\YourPhone.exe'
            - '\explorer.exe'
    condition: selection and not filter
level: high
---
id: c1a2b3c4-d5e6-7890-1234-567890abcdef
title: Potential Remus Stealer Browser State Access
status: experimental
description: Detects unusual processes accessing Chrome or Edge Local State files, a precursor to ABE bypass.
author: Security Arsenal
date: 2026/06/07
tags:
    - attack.credential_access
    - attack.t1555
logsource:
    product: windows
    category: file_access
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Local State'
            - '\Microsoft\Edge\User Data\Local State'
    filter_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
    filter_legit:
        Image|endswith:
            - '\explorer.exe'
            - '\svchost.exe'
    condition: selection and not 1 of filter*
level: medium


kql
// Hunt for Gamaredon C2 Infrastructure (DeviceNetworkEvents)
DeviceNetworkEvents
| where RemoteIP == "165.22.170.129" or RemoteUrl contains "justsstop.ru"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl

// Hunt for CloudZ RAT File Hashes (DeviceProcessEvents)
DeviceProcessEvents
| where SHA256 in (
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
    "24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54",
    "33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98",
    "65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac",
    "ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832"
)
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountName

// Hunt for suspicious Ethereum RPC connections (Remus C2)
DeviceNetworkEvents
| where RemoteUrl contains "eth" and RemotePort in (80, 443, 8545)
| summarize count() by RemoteUrl, InitiatingProcessFileName
| where count_ < 10 // Filter out heavy users like actual wallets


powershell
# IOC Hunt Script: CloudZ Hashes & Gamaredon Registry Persistence

# Define CloudZ Hashes
$cloudzHashes = @(
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
    "a39299719bb4151c373a0e9b92b2bd05",
    "e3ef02456a4df8236da5ee2082a5df36e746b463",
    "24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54",
    "33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98",
    "65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac",
    "ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832"
)

Write-Host "[+] Checking for Gamaredon GammaSteel Persistence..." -ForegroundColor Cyan
$path = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Printers"
if (Test-Path $path) {
    $props = Get-ItemProperty -Path $path
    if ($props -and $props.PSObject.Properties.Name.Count -gt 2) { # Basic heuristic, Printers usually has few keys
        Write-Host "[!] Suspicious registry activity detected at HKCU\Printers. Investigate manually." -ForegroundColor Red
        Get-Item -Path $path | Format-List *
    } else {
        Write-Host "[-] No obvious GammaSteel persistence found." -ForegroundColor Green
    }
}

Write-Host "[+] Scanning for CloudZ RAT Hashes (Common Folders)..." -ForegroundColor Cyan
$pathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")
$found = $false

foreach ($p in $pathsToScan) {
    if (Test-Path $p) {
        Get-ChildItem -Path $p -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            try {
                $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash.ToLower()
                if ($cloudzHashes -contains $hash) {
                    Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
                    $found = $true
                }
            } catch {
                # Ignore errors (locked files, permission denied)
            }
        }
    }
}

if (-not $found) {
    Write-Host "[-] No CloudZ artifacts found in user directories." -ForegroundColor Green
}

Write-Host "[+] Hunt Complete."

Response Priorities

Immediate (0-24h):
- Block IOCs: Immediately block IP 165.22.170.129 and domain justsstop.ru at the perimeter and proxy level.
- Scan for CloudZ: Initiate a full antimalware scan using the provided SHA256 hashes to identify any active CloudZ RAT infections.
- Disable Phone Link: If Microsoft Phone Link is not a business requirement, consider disabling it via Group Policy to mitigate the Pheno OTP theft vector.
24-48h:
- Credential Audit: Given the presence of Lumma/Remus (ABE bypass) and CloudZ (OTP theft), assume credentials may be compromised. Reset passwords for high-privilege accounts and enforce MFA (ensure MFA methods are not SMS-based if CloudZ activity is suspected).
- Hunt GammaSteel: Run the PowerShell script across endpoints to check for the HKCU\Printers persistence mechanism associated with Gamaredon.
1 Week:
- Browser Hardening: Review the configuration of Application-Bound Encryption (ABE) in enterprise browsers. Ensure patches are applied to mitigate the Remus bypass techniques.
- USB Policy: Reinforce controls against USB propagation (Gamaredon vector) by restricting unauthorized removable media.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Remus Stealer, Gamaredon GammaSteel, and CloudZ Pheno: OTX Pulse Analysis — Enterprise Detection Pack