REMUS Infostealer Deep-Dive: Session Token Theft Evolves into MaaS Platform Targeting Browser Credentials and SaaS Sessions

Security researchers from SANS Internet Storm Center published a detailed technical analysis of REMUS, an infostealer-as-a-service platform that has undergone rapid development since its emergence in late 2025. Unlike earlier infostealers focused primarily on password harvesting, REMUS specifically targets session tokens for enterprise SaaS applications, enabling buyers to access victim accounts directly without needing the victim’s password or bypassing MFA — because a valid session token represents an already-authenticated session.

Technical Capabilities

REMUS is distributed as a compiled Windows binary with an obfuscation layer that changes on each build request from the MaaS portal. Its credential and session extraction capabilities include:

Browser credential and cookie theft:

• Extracts saved passwords from Chrome, Edge, Firefox, and Brave browser profiles
• Captures all stored browser cookies, with specific parsing and tagging of cookies matching patterns for Salesforce (*.salesforce.com), Workday (*.workday.com), ServiceNow (*.service-now.com), Microsoft 365 (login.microsoftonline.com, *.sharepoint.com), and GitHub (github.com)
• Targets session cookies specifically, not just authentication cookies, giving buyers active sessions rather than just credentials

Beyond browser credentials:

• Extracts Windows Credential Manager stored credentials
• Harvests SSH keys from common locations (%USERPROFILE%\.ssh\, %APPDATA%\PuTTY)
• Captures MFA backup codes stored in common locations (KeePass databases, plain text files matching naming patterns)
• Screenshots active windows on execution to provide context about the victim’s current activity

Exfiltration:

• Data is exfiltrated via HTTPS POST to a rotating set of legitimate-looking domain names
• Exfil packets are encrypted and structured as JSON blobs

The MaaS Business Model

REMUS operates as a subscription service with tiered pricing: a basic tier provides access to the builder (executable generation), log parsing, and a web panel. Advanced tiers include customer support, obfuscation updates to evade new AV signatures, and a “guaranteed delivery” option where the REMUS operators handle distribution campaigns themselves.

The ease of session token resale to access brokers — who then sell to ransomware affiliates — has made REMUS financially attractive. A single successful deployment against an enterprise employee can yield session tokens worth several thousand dollars in access broker markets.

Why Session Tokens Are the Critical Asset

The shift from password harvesting to session token theft reflects the widespread deployment of phishing-resistant MFA. Session tokens bypass MFA entirely because they represent a post-authentication state — the victim already proved their identity when the session was created. A stolen session token gives a buyer the same access the victim has, limited only by the token’s remaining validity period.

Enterprise SaaS applications typically issue session tokens with validity periods of 8 to 24 hours, and some implement sliding expiry (refreshing on each use) making them effectively persistent until explicitly revoked.

Recommended Actions

• Conditional Access on session tokens: Configure Conditional Access policies in Entra ID that require re-authentication when sign-in risk is elevated. Enable Continuous Access Evaluation (CAE) so that session tokens can be revoked in near-real-time when risk signals emerge.
• Session token binding: Where supported, enable token binding or Persistent Browser Session policies that tie session tokens to specific device/browser combinations. This limits the portability of stolen tokens.
• Infostealer deployment detection: Deploy endpoint detection rules for the behavioural patterns associated with infostealer execution: mass file reads of browser profile directories, process reading %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data, and outbound HTTPS POST to newly registered domains.
• Employee awareness on personal devices: Infostealers frequently arrive via personal device activity (pirated software, gaming cheats, fake tools). Consider enforcing managed-device-only policies for enterprise SaaS access.