Mapping Remus Infostealer

This report examines the Remus infostealer infrastructure: a distributed cluster spanning >15 ASNs with concentration at Hostinger (AS47583) and Team Internet (AS206834), numerous .biz domains registered in early March (Dynadot), shared certificate fingerprints, and pivotable IoCs. The author correlates domain/cert pivots with Ethereum on-chain evidence, uncovering five smart contracts (one DomainStorage and four DataStore versions) used to store C2 URLs; contract versions show evolving validation, event logging changes, and a gas-optimization comment in Russian suggesting a language fingerprint. The findings support an automated campaign with active operator iteration and provide detection hooks (on-chain event monitors, IoCs) while noting attribution remains limited.