Attackers returned once again to a common target with a massive user base by exploiting a max-severity zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager.

The threat group behind the “limited” number of attacks Cisco is aware of thus far are also linked to a series of previously disclosed vulnerabilities in the vendor’s firewalls and SD-WAN systems, the company said in a threat advisory Thursday.

The authentication bypass vulnerability — CVE-2026-20182 — has a CVSS rating of 10 and “behaves like a master key,” Douglas McKee, director of vulnerability intelligence at Rapid7, wrote in a blog post. 

“An attacker can present themselves to the controller as a trusted network router and, if the system accepts that claim without properly validating it, they can obtain the highest level of administrative access,” he added. “That is the cybersecurity version of a Jedi mind trick.”

Rapid7 discovered and reported the vulnerability to Cisco on March 9, and Cisco said it became aware of limited exploitation of the vulnerability earlier this month. The vendor disclosed and released a patch for the vulnerability Thursday, and the Cybersecurity and Infrastructure Security Agency quickly added the defect to its known exploited vulnerabilities catalog.

Cisco did not explain what occurred during that two-month window. Yet, the disclosure and warning from researchers marks another challenge for Cisco customers that have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February. 

Cisco isn’t the only security vendor facing an onslaught of attacks on its customers, but it is among the most heavily targeted. CISA has added seven vulnerabilities affecting Cisco SD-WANs and firewalls to its known exploited vulnerabilities catalog in less than three months.

Cisco Talos researchers attributed the latest round of zero-day attacks to UAT-8616, the same attackers that exploited a pair of separate zero-days in Cisco’s network edge software for at least three years before the activity was discovered and reported in February. 

The company, which described the exploitation of the new zero-day as ongoing, once again declined to answer questions about the origins or motivations of UAT-8616. 

“We strongly recommend customers apply the available fixed software releases and follow the guidance provided in the advisories and Cisco Talos blog,” a spokesperson for the company said in a statement.

Cisco Talos researchers also warned that UAT-8616 and at least 10 other threat groups have chained together and achieved “widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Infrastructure.” The company previously disclosed and released patches for the vulnerabilities — including CVE-2026-20122, CVE-2026-20128 and CVE-2026-20133 — in February. 

Rapid7 said it discovered the latest critical authentication bypass vulnerability when it was researching CVE-2026-20127, a previous zero-day the Five Eyes identified and confirmed as actively exploited by UAT-8616 in late 2025. Authorities and Cisco waited at least two months to disclose and patch the vulnerability, and share emergency mitigation guidance.

That campaign, which got underway at least three years prior, marked the second series of actively exploited zero-days in Cisco edge technology in less than a year. Both campaigns prompted CISA to issue emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were discovered. 

The latest zero-day, which bypasses authentication in the same control-plane service as CVE-2026-20127,  requires no credentials or prior knowledge of the target environment for exploitation, Jonah Burgess, senior security researcher at Rapid7, told CyberScoop.

“Cisco confirmed it affects all deployment types, including on-premises, cloud, and FedRAMP environments. The SD-WAN Controller manages routing and policy for the entire overlay network, so a single compromised controller can potentially give an attacker influence over every branch, data center, and cloud edge connected to that fabric,” Burgess added.

His colleague at Rapid7, McKee, said attackers have become very good at turning weaknesses in central network infrastructure into high-impact operations. 

“Compromising one branch router is useful. Compromising the controller that manages the entire estate is a very different conversation. Now you are talking about the ability to reroute traffic, intercept communications, push malicious configuration, or simply break connectivity across the whole organization,” he wrote.

“That is the real paradox here,” McKee added. “The same architecture that gives defenders scale and simplicity can also give attackers a single point of catastrophic leverage.”

In recent months, a new infostealer malware known as REMUS has emerged across the cybercrime landscape, drawing attention from security researchers and malware analysts. Several technical analyses published in recent months focused on the malware’s capabilities, infrastructure, and similarities to Lumma Stealer, including browser targeting mechanisms, and credential theft functionality and more.

However, far less attention has been given to the underground operation behind the malware itself.

An analysis conducted by Flare researchers of 128 posts linked to the REMUS underground operation between February 12 and May 8, 2026, provides a rare look into how the group presents, develops, and operationalizes the malware within underground communities. By analyzing the actor’s advertisements, update logs, feature announcements, operational discussions, and customer-facing communications, the research helps map how the operation evolved over time and what priorities drove its development.

The findings reveal not only the rapid evolution of the stealer’s capabilities, but also a growing focus on commercialization, operational scalability, session theft, and password-manager targeting. More broadly, the activity offers insight into how modern malware-as-a-service (MaaS) operations increasingly resemble structured software businesses, with continuous development cycles, operational refinements, and features designed to improve usability, persistence, and long-term monetization.

The underground activity reveals a highly compressed but aggressive development cycle, with the operator repeatedly publishing feature updates, operational refinements, and new collection capabilities over just a few months.

Rather than advertising a static malware build, the posts portray an actively maintained MaaS platform evolving in near real time.

• February 2026 marked the initial commercial push. Early posts focused on establishing REMUS as a reliable and easy-to-use stealer, promoting browser credential theft, cookie collection, Discord token theft, Telegram delivery, and basic log management. The tone was highly promotional and customer-oriented. In one of the earliest posts, the operator claimed: “With good crypting and a dedicated intermediary server, the callback rate is ~90%.”

  Another post marketed the malware as featuring “24/7 support” and functionality “simple enough that even a child can figure it out” highlighting a strong emphasis on usability and commercialization from the beginning.

• March 2026 represented the campaign’s most active development period. During this phase, the operator introduced restore-token functionality, expanded log handling, worker tracking, statistics pages, duplicate-log filtering, and improved Telegram delivery workflows. Multiple posts focused not on theft itself, but on operational visibility and campaign management. One update added worker nicknames to log tables and statistics views, while another improved loader execution visibility so operators could better understand failed infections. The shift suggests REMUS was evolving into a broader operational platform rather than just a malware executable.

• April 2026 showed a clear move toward session continuity and browser-side authentication artifacts. The operator added SOCKS5 proxy support, improved token restoration, anti-VM toggles, gaming-platform targeting, and password-manager-related collection. One update explicitly stated: “Added IndexedDB collection for 1Password and LastPass extensions.”

  Another referenced Bitwarden-related searches. The posts increasingly emphasized authenticated sessions, restore workflows, and browser-side storage rather than standalone credentials alone.

• By early May 2026, the operation appeared focused on refinement and operational stability. The remaining posts in the dataset referenced restore improvements, bug fixes, collection optimizations, and continued adjustments to delivery and management functionality, suggesting the operator was shifting from rapid feature expansion toward platform stabilization.

REMUS and Its Connection to Lumma

Public reporting has largely focused on REMUS as a technically significant successor or variant of the Lumma Stealer. Researchers described the malware as a 64-bit infostealer sharing multiple similarities with Lumma, including anti-VM checks, browser-focused credential theft, and browser encryption bypass techniques.

That technical overlap is important, but the underground data suggests the story extends far beyond malware lineage.

The analyzed posts show a threat actor aggressively building a commercial cybercrime product around the malware. The operation repeatedly promoted updates, customer support, performance improvements, and additional collection capabilities in a way that strongly resembles legitimate software development cycles.

In one early post, the operator claimed the malware could achieve approximately “90%” successful delivery rates when paired with proper crypting and an intermediary server, language clearly aimed at reassuring potential buyers about operational reliability.

A Shift Toward Session Theft and the Rising Value of Cookies

One of the clearest themes across the REMUS campaign is the growing emphasis on session theft rather than traditional credential harvesting alone.
Historically, many infostealers focused primarily on usernames and passwords.

REMUS, however, repeatedly emphasized cookie collection, token handling, browser sessions, proxy-assisted restoration, and authenticated access continuity. From the earliest stages of the campaign, the malware promoted browser sessions and authentication artifacts as a core part of its value.

This reflects a broader shift across the underground economy, where stolen cookies and authenticated sessions have increasingly become a highly valuable commodity. Instead of stealing credentials and attempting to log in later, attackers increasingly seek already authenticated sessions that may bypass MFA prompts, login alerts, device verification, and risk-based authentication systems.

Multiple REMUS updates referenced “Restore” improvements, proxy compatibility, and support for multiple proxy types during token restoration workflows, strongly suggesting the operator viewed session persistence as a major selling point.

Several updates also focused on platforms where active sessions carry substantial value, including Discord, Steam, Riot Games, and Telegram-linked environments. Combined with cookie collection and restore functionality, the campaign increasingly appeared designed not just to steal credentials, but to preserve and operationalize authenticated access itself.

Password Managers Become High-Value Targets

The most significant late-stage evolution observed in the campaign involved password-manager-related collection. By April 2026, the operator was advertising support tied to Bitwarden, 1Password, LastPass, and IndexedDB browser storage. Password managers increasingly represent concentrated stores of valuable credentials and authentication material.

The references to IndexedDB are especially relevant because modern browser applications and extensions frequently use local browser storage mechanisms to retain application data and session information.
The posts do not prove successful vault decryption or direct password-manager compromise by themselves.

However, they clearly demonstrate that REMUS development was moving toward browser-side storage collection associated with password-management ecosystems.

The Operational Maturity Behind REMUS

The underground activity also demonstrates how modern MaaS ecosystems increasingly resemble legitimate software businesses.

Across the analyzed posts, the operator repeatedly published versioned updates, bug fixes, feature expansions, troubleshooting improvements, statistics enhancements, and operational visibility refinements.

Several posts also implied a multi-operator environment through references to workers, statistics dashboards, management visibility, loader monitoring, and log categorization. This operational structure aligns closely with broader MaaS trends where malware developers increasingly separate development, infrastructure, delivery, and monetization into specialized roles.

Final Thoughts

The REMUS campaign offers a revealing look into how modern infostealer operations are evolving far beyond simple credential theft.

Over just a few months, the underground activity analyzed by Flare analysts showed a clear transition from basic malware promotion into the development of a structured MaaS ecosystem focused on operational reliability, session persistence, and scalable data collection.

Perhaps most notably, the campaign highlighted the growing importance of authenticated sessions and browser-side authentication artifacts within the underground economy. The repeated emphasis on token restoration, proxy-assisted session recovery, and password-manager-related collection reflects a broader shift in cybercrime operations away from simply stealing passwords and toward maintaining direct access to already-authenticated environments.

The findings reinforce an increasingly important reality: infostealers are rapidly evolving into mature operational platforms that support persistence, automation, and long-term monetization workflows. As these ecosystems continue to professionalize, understanding how threat actors operationalize and commercialize malware may become just as important as analyzing the malware itself.

Learn more by signing up for our free trial.

Sponsored and written by Flare.