Remus Infostealer Used Ethereum Smart Contracts to Rotate Live C2 Infrastructure
Researchers mapped an active Remus infostealer infrastructure cluster that stores live command-and-control data in Ethereum smart contracts, extending the malware's use of dead-drop resolvers beyond Telegram and Steam. By querying contract 0x999941b74F6bbc921D5174A5b29911562cd2D7CF via a public RPC endpoint and tracking its DomainUpdated activity, they identified a previously unlisted live C2 at fightwa[.]biz:5902, following earlier values including chalx[.]live:5902. Historical updates showed the operators were rotating infrastructure through late April, and the newly identified domain resolved to 185.53.179.128, an IP already linked to Remus operations.
Further analysis tied the campaign to a broader, automated infrastructure spread across more than 15 ASNs, with notable concentration at Hostinger International Limited (AS47583) and Team Internet AG (AS206834). Investigators found heavy use of .biz domains registered in early March through Dynadot, shared certificate and hosting patterns, and four additional Ethereum contracts beyond the one first identified, bringing the total to five contracts used to publish live C2 information. The contract set showed an evolution from simple DomainStorage logic to more advanced DataStore variants with stronger validation, ownership controls, and gas-optimized stealth features, while one v3 contract included a Russian-language code comment that researchers said was only a minor attribution clue consistent with the broader Remus/Lumma ecosystem.
How this story unfolded
7 events from the earliest known activity through the most recent confirmed update.
Researchers trace Remus to September 2025 Tenzor test builds
Gen Threat Labs reported that Remus could be traced to September 2025 test builds labeled Tenzor and assessed it as a new 64-bit variant closely derived from Lumma Stealer. The analysis also highlighted inherited Chromium key-theft techniques and EtherHiding-based C2 resolution, indicating Remus evolved from the Lumma ecosystem rather than appearing suddenly in 2026.
Remus infrastructure domains registered in early March
The Remus infostealer campaign registered many .biz domains around the same time in early March 2026 through Dynadot. Shared certificate and hosting traits suggested an automated infrastructure setup.
Researchers find exposed xlabs_v1 botnet directory
In early April 2026, researchers discovered an exposed open directory on 176.65.139.44 and used its publicly accessible files to reconstruct the Mirai-derived xlabs_v1 DDoS-for-hire operation. The malware was found targeting internet-exposed Android Debug Bridge services on TCP/5555 and supporting multiple architectures.
Remus Ethereum contract rotates to fightwa[.]biz:5902
Historical smart-contract activity showed the Remus cluster progressing from a test domain to chalx[.]live:5902 and then to fightwa[.]biz:5902. The latest observed C2 rotation occurred as recently as 2026-04-25, indicating the infrastructure was still active.
Research identifies live Remus C2 via Ethereum smart contract
By querying Ethereum contract 0x999941b74F6bbc921D5174A5b29911562cd2D7CF with function selector 0xc2fb26a6 through a public RPC endpoint, a researcher identified live C2 domain fightwa[.]biz:5902. The hosting IP 185.53.179.128 matched infrastructure previously associated with Remus, supporting attribution to the same campaign.
Researchers expose xlabs_v1 botnet infrastructure and protocol
Analysis of xlabs_v1 production and development binaries revealed 21 attack variants, a plaintext-framed C2 protocol over TCP/35342 using xlabslover[.]lol, and infrastructure concentrated in the 176.65.139.0/24 netblock in the Netherlands. Weak ChaCha20 implementation details also allowed recovery of the operator handle Tadashi, bot tag xlabs_v1, and an authentication token.
Additional Remus smart contracts and infrastructure concentration mapped
Further analysis of the Remus campaign uncovered four additional Ethereum smart contracts beyond the previously identified one, bringing the total to five used to store live C2 information. The research also highlighted infrastructure concentration at Hostinger International Limited and Team Internet AG, with 185.53.179.128 identified as a likely central convergence or exfiltration server.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Remus Infostealer Uses Lumma-Style Browser Key Theft and Application-Bound Encryption Bypass
cybersecuritynews.com
Open sourceMapping Remus Infostealer - by Vasilis Orlof
intelinsights.substack.com
Open sourcexlabs_v1 DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet
hunt.io
Open sourceC2 in the Ether - by Vasilis Orlof
intelinsights.substack.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied **ResolverRAT**, **LummaStealer**, and an **Amadey** botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected `.NET` loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, **pat[.]microsoft-telemetry[.]at**, and newly activated infrastructure such as **kampf[.]huehnchenfarm[.]ru** tied to the same ecosystem. A parallel March 2026 investigation linked the **fbf543** Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on **Omegatech LTD (AS202412)** and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from **ConnectWise, DattoRMM, Atera, GoToResolve, and N-able**, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing **AppLaunch.exe**, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
Apr 25, 2026
SmokeLoader Campaigns Exposed Through Remus Plugin and Shared C2 Infrastructure
Researchers traced multiple **SmokeLoader** operations to live command-and-control infrastructure that supported credential theft, screenshot capture, clipboard theft, host profiling, and data exfiltration. One March 2026 campaign used a **ClickFix** social-engineering lure, an MSI installer, and a Go-based loader to deploy the **Remus** plugin, with exfiltration sent to `baxe[.]pics:48261`; investigators extracted configuration data including the C2 URL, campaign ID, plugin markers, and a **ChaCha20** key that allowed captured traffic to be decrypted. Cross-sample analysis linked the same builder output to SmokeLoader deliveries via **Amadey**, **Phorpiex**, and the ClickFix/GOLoader chain, pointing to a shared malware-as-a-service or affiliate ecosystem. Separate analysis tied SmokeLoader to a broader dual-family operation involving **Fuery**, likely run by an operator using the alias **"ingermany"**, who used a Flask-based panel disguised as **"InsureFlow Pro"** and a second **"Monkey"** panel for Fuery management. Investigators documented repeated OPSEC failures across the infrastructure, including reused certificates, exposed registration data, same-day domain registrations, and a C2 domain that shared a VPS with a legitimate Arabic-language learning platform, `qimmaedu[.]com`, while malware traffic beaconed to `coox[.]live` and `baxe[.]pics`. The reports also highlighted unusual technical overlaps, including Go 1.20.1 builds, Raft protocol type-name obfuscation, split C2 services on high ports, and hosting links to providers and subnets previously associated with **Phorpiex**, reinforcing the assessment that financially motivated operators were reusing infrastructure across malware families and legitimate services.
Apr 25, 2026
Signed Malware Installers and Live C2 Infrastructure Fuel Multiple Loader Campaigns
Breakglass Intelligence identified several active malware delivery operations using signed installers, compromised websites, and live command-and-control infrastructure to distribute loaders, stealers, and remote access tools. One campaign used the newly registered domain `maybedontbanplease[.]com` as CastleLoader C2 on 3NT Solutions LLP infrastructure, with a large NSIS installer embedding Python 3.14, AES-encrypted payloads, and in-memory shellcode execution via `pythonw.exe`; the installer was signed with an EV certificate issued to the likely fictitious entity **SERPENTINE SOLAR LIMITED**. The activity was attributed with medium-high confidence to **GrayBravo** and linked to delivery of **LummaC2, StealC, RedLine, Rhadamanthys, DeerStealer, NetSupport RAT,** and **SectopRAT**, with targeting that included U.S. government, critical infrastructure, IT, and logistics organizations. A separate operation distributed a trojanized `MSTeamsSetup.exe` that installed a weaponized **RustDesk** client and communicated with `mon.systemautoupdater[.]com` on EvoXT infrastructure, while presenting a TLS certificate for `calipology[.]com`, tying the activity to the **GeorgeGinx/Striker** operator. In another live campaign, attackers used the compromised Syrian web development site `allsydevs[.]com` to host an obfuscated .NET loader masquerading as a WordPress image and connected victims to `172[.]93[.]167[.]12:4263` over HTTPS using a self-signed certificate with the fake common name **Mesh Data**; at least six related samples were linked to the same C2, with lure names suggesting targeting of Middle Eastern construction and export firms. Together, the investigations show financially motivated actors expanding malware distribution through fraudulent code-signing, trojanized business software, and hijacked web infrastructure.
Apr 25, 2026