RemusStealer Delivered via Software Search Redirection

    Monday, May 25, 2026 In: Threat Research Print

    Date: 05/25/2026

    Severity: Medium

    Summary

    Users searching for legitimate C++ software land on a compromised site that executes malicious JavaScript. The script conducts heavy profiling via browser fingerprinting, mouse telemetry, and click interception. Profiled victims are redirected through intermediary domains to a dynamic, fake "MEGA Transfer" page. This landing page delivers password-protected archives harboring a heavily obfuscated Go loader. The loader uses a five-stage decryption process to reflectively execute the RemusStealer payload. RemusStealer retrieves its real C2 via an Ethereum Dead Drop Resolver contract, mimicking established cybercrime infrastructure.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    oundhertobeconsist.org

    pulse.cryptowavematrix6.cyou

    scroogeearthbornwyson.com

    dwn.nexusriftcore9.cfd

    mascard.biz Post-execution

    shivlpf.shop Post-execution

    IP Address : 

    104.21.72.4

    Hash : 

    0a6a792109809ef80ee6f93835aa26ead15ed0deabdcd56b0889fb92b62167a4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "pulse.cryptowavematrix6.cyou" or url like "pulse.cryptowavematrix6.cyou" or siteurl like "pulse.cryptowavematrix6.cyou" or domainname like "dwn.nexusriftcore9.cfd" or url like "dwn.nexusriftcore9.cfd" or siteurl like "dwn.nexusriftcore9.cfd" or domainname like "oundhertobeconsist.org" or url like "oundhertobeconsist.org" or siteurl like "oundhertobeconsist.org" or domainname like "scroogeearthbornwyson.com" or url like "scroogeearthbornwyson.com" or siteurl like "scroogeearthbornwyson.com" or domainname like "mascard.biz Post-execution" or url like "mascard.biz Post-execution" or siteurl like "mascard.biz Post-execution" or domainname like "shivlpf.shop Post-execution" or url like "shivlpf.shop Post-execution" or siteurl like "shivlpf.shop Post-execution" 

    Detection Query 2 :

    dstipaddress In ("104.21.72.4") or srcipaddress In ("104.21.72.4")

    Detection Query 3 :

    sha256hash In ("0a6a792109809ef80ee6f93835aa26ead15ed0deabdcd56b0889fb92b62167a4")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-05-22-RemusStealer-Delivered-via-Software-Search-Redirection.txt                      


    Tags

    MalwareStealerObfuscationFake software

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.