The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: Remus Total IOCs: 6 IOC Types: url, ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://it-solutions-bayern.com:6431 | payload_delivery | 2026-05-22 | 50% |
| url | hxxp://woodfez.biz:7582 | payload_delivery | 2026-05-22 | 50% |
| url | hxxp://firewai.biz:48261 | payload_delivery | 2026-05-22 | 50% |
| domain | softandtec.com | botnet_cc | 2026-05-22 | 100% |
| domain | genuskox.biz | botnet_cc | 2026-05-22 | 100% |
| ip:port | 80[.]211[.]47[.]159:7582 | botnet_cc | 2026-05-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["80.211.47.159"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["80.211.47.159"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["softandtec.com", "genuskox.biz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://it-solutions-bayern.com:6431", "http://woodfez.biz:7582", "http://firewai.biz:48261"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remus IOC pattern (e.g., remus.exe or specific registry keys).
Filter/Exclusion: Check for ProcessName containing schtasks.exe or Task Scheduler in the process tree.
Scenario: Admin Performing System Cleanup
Description: An administrator uses a tool like CCleaner or Disk Cleanup that temporarily creates files or registry entries resembling Remus IOCs.
Filter/Exclusion: Filter by ProcessName containing ccleaner.exe or cleanmgr.exe.
Scenario: Legitimate Software Installation
Description: A legitimate application (e.g., VMware Tools, Docker, or Kubernetes CLI) includes files or registry entries that match Remus IOCs.
Filter/Exclusion: Check for FileHash or FilePath matching known legitimate software binaries.
Scenario: PowerShell Script for Automation
Description: A PowerShell script (e.g., Invoke-Command or Start-Job) is used for automation and inadvertently matches Remus IOC patterns.
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing Invoke-Command or Start-Job.
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool like Wireshark or tcpdump generates traffic that matches Remus IOC patterns in logs.
Filter/Exclusion: Filter by ProcessName containing wireshark.exe or tcpdump and check for ProcessUser as a known network admin.