Security researchers have published a detailed breakdown of REMUS, a fast-growing infostealer that criminals can rent by subscription — a model called Malware-as-a-Service (MaaS). REMUS focuses on stealing your browser’s active “session tokens”: the invisible keys your browser holds after you log in so you don’t have to type your password on every page. Once an attacker grabs those tokens, they can open your email, social media, or online banking as if they were you — no password required.
What makes REMUS particularly worrying is how quickly its creators are updating it. New features — including the ability to extract tokens from more browsers and dodge some security tools — are being rolled out at a pace that outstrips many commercial antivirus products. The malware spreads mainly through fake downloads, cracked software, and phishing links.
How to check if you’re affected
Affected devices are any Windows computers where you recently opened a file downloaded from an unofficial website, a torrent, or a link sent through chat.
- Look for unexpected sign-ins. Most email and social media platforms (Gmail, Outlook, Facebook, Instagram) show “Recent activity” or “Active sessions” — check yours for logins from places or devices you don’t recognize.
- Run a quick scan. Open Windows Security (search “Windows Security” in the Start menu) → Virus & threat protection → Quick scan.
- Log out everywhere. On Gmail, scroll to the bottom of the inbox and click “Last account activity” → Sign out of all other sessions. On Facebook: Settings → Password and Security → Where you’re logged in.
- Enable two-factor authentication (2FA). Even if a session token is stolen, 2FA on new logins blocks attackers who haven’t already logged in.