The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify malicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging Remus for data exfiltration or lateral movement.
IOC Summary
Malware Family: Remus Total IOCs: 6 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://it-solutions-bayern.com:6431 | payload_delivery | 2026-05-22 | 50% |
| url | hxxp://woodfez.biz:7582 | payload_delivery | 2026-05-22 | 50% |
| url | hxxp://firewai.biz:48261 | payload_delivery | 2026-05-22 | 50% |
| domain | softandtec.com | botnet_cc | 2026-05-22 | 100% |
| domain | genuskox.biz | botnet_cc | 2026-05-22 | 100% |
| ip:port | 80[.]211[.]47[.]159:7582 | botnet_cc | 2026-05-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["80.211.47.159"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["80.211.47.159"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["softandtec.com", "genuskox.biz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://it-solutions-bayern.com:6431", "http://woodfez.biz:7582", "http://firewai.biz:48261"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam
Description: A legitimate scheduled backup job using Veeam may trigger the detection due to file or network activity resembling Remus IOCs.
Filter/Exclusion: Exclude processes initiated by veeam or with command-line arguments containing backup or snapshot.
Scenario: Windows Task Scheduler Running Admin Tasks
Description: A legitimate Windows Task Scheduler job, such as running diskpart or netsh, could match Remus IOCs if the command-line arguments or file paths are similar.
Filter/Exclusion: Exclude processes with Task Scheduler as the parent process or with cmd.exe having schtasks in the command line.
Scenario: Log Management Tool Using Filebeat
Description: Filebeat, a log shipping tool, may generate traffic to a log aggregation server that matches Remus network IOCs.
Filter/Exclusion: Exclude traffic originating from filebeat or with destination IP matching the log management server’s IP.
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script used for system monitoring (e.g., using Get-EventLog or Get-Service) may trigger the rule if it uses similar command-line arguments or file paths as Remus.
Filter/Exclusion: Exclude processes with powershell.exe and command-line arguments containing Get-EventLog, Get-Service, or monitor.
Scenario: Antivirus Scan Using Windows Defender
Description: Windows Defender may perform scans that involve file access or network communication that could be flagged by the Remus detection rule.
Filter/Exclusion: Exclude processes with MsMpEng.exe or with Windows Defender in the process name or command line.