REMUS Infostealer: How Session Hijacking Became the New Gold in Cybercrime

Stolen browser sessions and authentication tokens now command higher prices on dark web markets than traditional passwords, according to a new analysis of the REMUS infostealer malware. The threat, operated as a Malware-as-a-Service (MaaS), has rapidly evolved to specialize in session theft, enabling criminals to bypass multi-factor authentication and persist inside compromised accounts.

“REMUS is a textbook example of how cybercriminals pivot to session hijacking because it gives them instant, persistent access without needing credentials,” said a senior threat researcher at Flare, the cybersecurity firm that tracked the malware's development. “We’re seeing a clear shift: session tokens are the new gold.”

Background

REMUS first emerged in underground forums in early 2024 as a basic infostealer. Within months, its developers added advanced session cookie extraction and token replay capabilities, turning it into a specialized tool for account takeovers. The malware is sold on a subscription model (MaaS), with prices ranging from $500 to $2,000 per month depending on features and support level.

Flare’s report details how REMUS uses WebSocket injection to intercept active sessions in real time, even those protected by 2FA. Attackers can then reuse these tokens to log into services like email, cloud storage, and corporate VPNs without triggering additional authentication prompts. “The victims never know until it’s too late,” the researcher added.

What This Means

For organizations, the rise of REMUS underscores the inadequacy of relying solely on multi-factor authentication. Session token theft bypasses MFA entirely, making security policies that depend on it obsolete. Companies must now monitor for anomalous session usage, implement short token lifetimes, and deploy endpoint detection that can spot process injection and WebSocket abuse.

For defenders, REMUS represents a rapidly evolving threat that demands equally agile countermeasures. The malware already shows modular updates, suggesting its creators are adding features like browser-agnostic stealing and cryptojacking. “This isn’t a static threat—it’s a platform that gets better every week,” the Flare researcher warned.

Flare recommends immediate action: disable automatic session persistence in browsers, enforce re-authentication for sensitive actions, and use EDR solutions that can detect hooking of browser processes. As the threat matures, stolen sessions will only become more valuable, making proactive defense critical.