The ThreatFox: Remus IOCs rule detects potential adversary activity linked to the Remus malware, which is associated with advanced persistent threats and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise by threat actors leveraging known malicious indicators.
IOC Summary
Malware Family: Remus Total IOCs: 14 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://rfidassist.com:5321 | botnet_cc | 2026-05-24 | 100% |
| url | hxxp://woodfez.biz:7582 | botnet_cc | 2026-05-24 | 100% |
| url | hxxp://firewai.biz:48261 | botnet_cc | 2026-05-24 | 100% |
| domain | falcoju.shop | botnet_cc | 2026-05-24 | 100% |
| domain | estranat.biz | botnet_cc | 2026-05-24 | 100% |
| domain | pinkyandthejame.com | botnet_cc | 2026-05-24 | 100% |
| domain | gordinez.com | botnet_cc | 2026-05-24 | 100% |
| domain | it-solutions-bayern.com | botnet_cc | 2026-05-24 | 100% |
| domain | menomou.shop | botnet_cc | 2026-05-24 | 100% |
| domain | orderre.shop | botnet_cc | 2026-05-24 | 100% |
| domain | tricshp.shop | botnet_cc | 2026-05-24 | 100% |
| domain | cupaesfd.com | botnet_cc | 2026-05-24 | 100% |
| domain | rfidassist.com | botnet_cc | 2026-05-24 | 100% |
| domain | runmyaba.com | botnet_cc | 2026-05-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["falcoju.shop", "estranat.biz", "pinkyandthejame.com", "gordinez.com", "it-solutions-bayern.com", "menomou.shop", "orderre.shop", "tricshp.shop", "cupaesfd.com", "rfidassist.com", "runmyaba.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://rfidassist.com:5321", "http://woodfez.biz:7582", "http://firewai.biz:48261"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using msiexec.exe to install Windows updates
Filter/Exclusion: process.name == msiexec.exe and process.args contains " /quiet" or " /passive"
Scenario: Scheduled backup job using vssadmin.exe to create volume shadow copies
Filter/Exclusion: process.name == vssadmin.exe and process.args contains " CreateShadowCopy"
Scenario: Administrative task using taskkill.exe to terminate a non-malicious process
Filter/Exclusion: process.name == taskkill.exe and process.args contains " /F /IM [legitimate_process_name].exe"
Scenario: Log collection or monitoring tool like logparser.exe executing a query on the local file system
Filter/Exclusion: process.name == logparser.exe and process.args contains " -i CSV" or " -i SQL"
Scenario: Database maintenance task using sqlcmd.exe to run a scheduled T-SQL script
Filter/Exclusion: process.name == sqlcmd.exe and process.args contains " -Q "SELECT * FROM maintenance_table""