Back to Intelligence

Remus Stealer, Gamaredon GammaSteel & CloudZ RAT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 6, 2026
7 min read

Current OTX pulse data highlights three concurrent, high-risk campaigns targeting enterprise credentials and critical infrastructure. A sophisticated evolution of the Lumma Stealer, named Remus, is actively bypassing browser Application-Bound Encryption (ABE) to harvest credentials and cryptocurrency wallets, utilizing the Ethereum blockchain for C2 communication (EtherHiding). Simultaneously, the Russian state-sponsored Gamaredon Group (UAC-0010) has escalated operations against Ukrainian entities with GammaSteel, a memory-resident infostealer abusing the Windows Registry (HKCU\Printers) for persistence and USB propagation. Separately, CloudZ RAT coupled with the Pheno plugin has been observed exploiting the Microsoft Phone Link application to intercept SMS and OTPs without infecting the mobile device directly. Collectively, these threats indicate a trend toward abusing trusted OS utilities and novel communication channels to evade detection.

Threat Actor / Malware Profile

Remus Stealer

  • Actor: Unknown (Evolution of Lumma Stealer core team).
  • Distribution: Malicious payloads distributed via cracked software, fake installers, and torrent sites.
  • Payload Behavior: 64-bit information stealer utilizing code injection to bypass Application-Bound Encryption (ABE) in Chromium-based browsers. Targets cryptocurrency wallets and session cookies.
  • C2 Communication: Uses Ethereum blockchain transactions (EtherHiding) to receive C2 instructions, making network traffic analysis significantly harder.
  • Persistence: Likely via Scheduled Tasks or Registry Run keys (standard for info-stealers).
  • Anti-Analysis: Heavy obfuscation, specific anti-debugging checks associated with the Lumma family lineage.

Gamaredon Group (GammaSteel)

  • Actor: Gamaredon (UAC-0010, Armageddon), associated with Russian FSB.
  • Target: Ukrainian Government, Defense, and Critical Infrastructure.
  • Distribution: Spear-phishing attachments and LNK files on USB drives for air-gap jumping.
  • Payload Behavior: GammaSteel operates primarily in memory. It stores 71 distinct payload functions within the HKCU\Printers registry key, encrypted via Windows DPAPI. It also spreads via GammaWorm (USB propagation).
  • C2 Communication: HTTP/HTTPS communication to known infrastructure (e.g., justsstop.ru).
  • Persistence: Registry modification (HKCU\Printers) and potentially WMI event subscriptions.
  • Anti-Analysis: Memory-resident execution to evade disk-based scanning; DPAPI encryption of configuration data.

CloudZ RAT & Pheno Plugin

  • Actor: Unknown Cybercrime actor.
  • Distribution: Unverified software downloads and bundled installers.
  • Payload Behavior: CloudZ RAT provides remote access; the Pheno plugin specifically targets the Microsoft Phone Link application (YourPhone.exe) to steal synchronized SMS and OTP codes from linked mobile devices.
  • C2 Communication: Standard TCP/HTTP sockets for remote control.
  • Persistence: Registry Run keys or Service creation.
  • Anti-Analysis: Dynamic memory allocation and evasion of signature-based detection.

IOC Analysis

The provided IOCs offer immediate hunting opportunities:

  • Network Indicators: The IP 165.22.170.129 and domain justsstop.ru are associated with Gamaredon's GammaSteel C2. These should be blocked immediately on perimeter firewalls and proxied via Secure Web Gateways (SWG) for internal analysis.
  • File Hashes: A cluster of SHA256, MD5, and SHA1 hashes relates to the CloudZ RAT and Pheno plugin binaries. These are critical for EDR containment. The SHA256 hashes (e.g., 5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321) should be uploaded to SIEM/EDR allowlist configurations to generate alerts on execution.
  • Operationalization: SOC teams should ingest these IOCs into their Threat Intelligence Platform (TIP) to auto-generate blocklists. For GammaSteel, focus on registry anomaly detection rather than just static IOCs, as the malware stores payloads in the registry.

Detection Engineering

Sigma Rules

YAML
---
title: Potential GammaSteel Registry Persistence via Printers Key
id: 6e1b8c9d-2f3a-4a5e-9b1c-8d7f6a5e4c3b
description: Detects the creation or modification of values within HKCU\Printers registry key, a technique used by GammaSteel to store payload functions.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6e1b8c9d-2f3a-4a5e-9b1c-8d7f6a5e4c3b
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    registry:
        - add
        - modify
detection:
    selection:
        TargetObject|contains: '\Software\Microsoft\Windows NT\CurrentVersion\Printers'
    condition: selection
falsepositives:
    - Legitimate printer driver installation
level: high
---
title: Potential CloudZ RAT Pheno Phone Link Abuse
id: 7f2c9d0e-3g4b-5b6f-0c2d-9e8g7b6f5e4d
description: Detects unexpected process access or injection attempts targeting Microsoft Phone Link (YourPhone.exe) by non-system processes, indicative of OTP theft.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/7f2c9d0e-3g4b-5b6f-0c2d-9e8g7b6f5e4d
tags:
    - attack.credential_access
    - attack.t1056.002
logsource:
    product: windows
    category: process_access
detection:
    selection_target:
        TargetImage|endswith: '\YourPhone.exe'
    selection_grant:
        GrantedAccess|contains:
            - '0x10'
            - '0x440'
            - '0x1410' # PROCESS_VM_WRITE, PROCESS_VM_OPERATION
    filter_legit:
        SourceImage|contains:
            - '\Windows\System32\'
            - '\Program Files\WindowsApps\'
    condition: selection_target and selection_grant and not filter_legit
falsepositives:
    - Legitimate debugging of Phone Link
level: high
---
title: Remus Stealer Browser Process Injection
id: 8a3d0e1f-4h5c-6c7g-1d3e-0f9h8c7d6e5f
description: Detects potential Remus/Lumma stealer behavior where a suspicious process creates a remote thread in a browser process to bypass ABE.
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/8a3d0e1f-4h5c-6c7g-1d3e-0f9h8c7d6e5f
tags:
    - attack.defense_evasion
    - attack.t1055.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_target:
        TargetImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\brave.exe'
    selection_caller:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\rundll32.exe'
    filter_legit:
        ParentImage|contains:
            - '\Program Files\'
            - '\Program Files (x86)\'
    condition: selection_target and selection_caller and not filter_legit
falsepositives:
    - Automated browser testing
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for GammaSteel Network Indicators
let GammaSteelIPs = dynamic(['165.22.170.129']);
let GammaSteelDomains = dynamic(['justsstop.ru']);
DeviceNetworkEvents
| where RemoteIP in (GammaSteelIPs) or RemoteUrl has_any (GammaSteelDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, ActionType
| extend Threat = 'Gamaredon GammaSteel'

// Union with CloudZ RAT File Hash Hunt
let CloudZHashes = dynamic([
    '5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321',
    '24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54',
    '33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98',
    '65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac',
    'ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832'
]);
DeviceFileEvents
| where SHA256 in (CloudZHashes) or MD5 in ('a39299719bb4151c373a0e9b92b2bd05') or SHA1 in ('e3ef02456a4df8236da5ee2082a5df36e746b463')
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| extend Threat = 'CloudZ RAT Pheno'

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for GammaSteel persistence and CloudZ artifacts.
.DESCRIPTION
    Checks for suspicious registry entries in HKCU\Printers and scans for
    specific file hashes associated with CloudZ RAT.
#>

# 1. Hunt for GammaSteel Registry Artifacts
Write-Host "[*] Checking HKCU\Printers for GammaSteel payloads..."
$printersPath = "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Printers"
if (Test-Path $printersPath) {
    $subKeys = Get-Item $printersPath
    # Check for unusual values or large data blobs in UserDSD or similar keys often abused
    $values = Get-ItemProperty $printersPath -ErrorAction SilentlyContinue
    foreach ($prop in $values.PSObject.Properties) {
        if ($prop.Name -ne "PSPath" -and $prop.Name -ne "PSParentPath" -and $prop.Name -ne "PSChildName") {
            $valData = $values.$($prop.Name)
            if ($valData -is [byte[]] -and $valData.Length -gt 512) {
                Write-Host "[!] Suspicious large registry value found: $($prop.Name) in $printersPath" -ForegroundColor Red
            } elseif ($valData -is [string] -and $valData.Length -gt 100) {
                Write-Host "[!] Suspicious long string value found: $($prop.Name) in $printersPath" -ForegroundColor Yellow
            }
        }
    }
}

# 2. Hunt for CloudZ RAT File Hashes
Write-Host "[*] Scanning for CloudZ RAT file hashes..."
$cloudzHashes = @(
    "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321",
    "24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54",
    "33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98",
    "65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac",
    "ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832"
)

# Common execution paths (adjust as necessary)
$pathsToScan = @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($cloudzHashes -contains $fileHash) {
                Write-Host "[!] CloudZ RAT artifact found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[*] Hunt complete."


# Response Priorities

Immediate (0-12 hours)

  • Network Blocking: Block all egress traffic to IP 165.22.170.129 and domain justsstop.ru at the firewall and proxy level.
  • Containment: Isolate endpoints where the CloudZ RAT file hashes have been identified to prevent further C2 communication or OTP theft.
  • Registry Analysis: Hunt for and audit modifications to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Printers across the environment.

24 Hours

  • Credential Reset: If Remus or GammaSteal infection is confirmed, force-reset all browser-saved credentials and tokens for affected users. Prioritize accounts associated with cryptocurrency or privileged access.
  • Identity Verification: Conduct out-of-band verification for users who may have had OTPs intercepted via the CloudZ/Pheno Phone Link vector.
  • USB Sanitization: In environments targeted by Gamaredon (or high-risk sectors), enforce a temporary policy disabling USB mass storage or scanning all USB devices.

1 Week

  • Application Hardening: Review and restrict the use of Microsoft Phone Link in enterprise environments if it is not business-critical, or restrict permissions to the YourPhone.exe executable.
  • ASR Rules: Enable Attack Surface Reduction (ASR) rules specifically targeting "Block Office applications from creating child processes" and "Steal credentials from the Windows local security authority subsystem" to impede initial access vectors common to these campaigns.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareremus-stealergammastealcloudz-ratcredential-theftapt-activity

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action