The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify malicious network traffic or command-and-control communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging Remus for data exfiltration or lateral movement.
IOC Summary
Malware Family: Remus Total IOCs: 2 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | nottinghamcarpetsandblinds.com | botnet_cc | 2026-06-14 | 100% |
| url | hxxp://nottinghamcarpetsandblinds.com:5789 | botnet_cc | 2026-06-14 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["nottinghamcarpetsandblinds.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://nottinghamcarpetsandblinds.com:5789"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Remus as part of a legitimate enterprise tool
Filter/Exclusion: Exclude processes initiated by known system update tools like Windows Update or WSUS, or those with msiexec.exe or setup.exe as the parent process.
Scenario: Scheduled job running Remus for log collection or monitoring
Filter/Exclusion: Exclude processes launched by scheduled tasks with known legitimate names like LogCollector.exe or MonitoringService.exe, or those running under a service account with restricted permissions.
Scenario: Admin task involving Remus for network discovery or inventory
Filter/Exclusion: Exclude processes initiated by administrative tools like PowerShell.exe or Task Scheduler with scripts that are known to be part of enterprise inventory tools (e.g., InventoryTool.exe).
Scenario: Legitimate use of Remus in a security tool for threat intelligence enrichment
Filter/Exclusion: Exclude processes that are part of a known security tool like ThreatIntelUpdater.exe or IOCParser.exe, or those that are whitelisted in the enterprise’s IOC database.
Scenario: False positive from a third-party tool that uses Remus as part of its internal logic
Filter/Exclusion: Exclude processes that are child processes of known third-party tools (e.g., SplunkForwarder.exe, ELKStack.exe) or those that have a parent process matching a known legitimate application.