Remus Stealer Delivered Via Software Search Redirection

    Thursday, May 28, 2026 In: Threat Research Print

    Date: 05/28/2026

    Severity: Medium

    Summary

    A malware campaign is targeting users searching for open-source C++ IDE software by redirecting them from legitimate websites to fake MEGA Transfer pages that deliver RemusStealer. The attack chain uses CloudFront-hosted JavaScript for browser fingerprinting, click tracking, and traffic routing, enabling stealthy, interaction-based redirection rather than traditional SEO poisoning. The payload employs a heavily obfuscated Go loader and retrieves its command-and-control infrastructure through an Ethereum-based dead drop resolver, demonstrating advanced evasion and resilient C2 techniques for credential theft and malware delivery. 

     Indicators of Compromise (IOC) List  

    Domains/URLs

    oundhertobeconsist.org

    pulse.cryptowavematrix6.cyou

    scroogeearthbornwyson.com

    dwn.nexusriftcore9.cfd

    mascard.biz

    shivlpf.shop

    IP Address

    104.21.72.4

    Hash

    0a6a792109809ef80ee6f93835aa26ead15ed0deabdcd56b0889fb92b62167a4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "oundhertobeconsist.org" or url like "oundhertobeconsist.org" or siteurl like "oundhertobeconsist.org" or domainname like "pulse.cryptowavematrix6.cyou" or url like "pulse.cryptowavematrix6.cyou" or siteurl like "pulse.cryptowavematrix6.cyou" or domainname like "mascard.biz" or url like "mascard.biz" or siteurl like "mascard.biz" or domainname like "scroogeearthbornwyson.com" or url like "scroogeearthbornwyson.com" or siteurl like "scroogeearthbornwyson.com" or domainname like "shivlpf.shop" or url like "shivlpf.shop" or siteurl like "shivlpf.shop" or domainname like "dwn.nexusriftcore9.cfd" or url like "dwn.nexusriftcore9.cfd" or siteurl like "dwn.nexusriftcore9.cfd"

    Detection Query 2 :

    dstipaddress IN ("104.21.72.4") or srcipaddress IN ("104.21.72.4")

    Detection Query 3 :

    sha256hash IN ("0a6a792109809ef80ee6f93835aa26ead15ed0deabdcd56b0889fb92b62167a4")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-05-22-RemusStealer-Delivered-via-Software-Search-Redirection.txt                     


    Tags

    MalwareStealerSEO PoisoningObfuscationCredentialTheft

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.