The ThreatFox: Remus IOCs rule detects potential adversary activity involving known malicious indicators associated with the Remus malware family, which is commonly used for data exfiltration and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and system integrity.
IOC Summary
Malware Family: Remus Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | demale.shop | botnet_cc | 2026-05-27 | 100% |
| domain | thequarterlymethod.com | botnet_cc | 2026-05-27 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["demale.shop", "thequarterlymethod.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Remus
Description: A legitimate scheduled backup job uses Remus for data replication.
Filter/Exclusion: process.parent_process_name:*backup_service* OR process.command_line:*remus_backup*
Scenario: Admin Task Using Remus for Log Aggregation
Description: An administrator uses Remus to aggregate logs from multiple servers.
Filter/Exclusion: process.user:*admin* AND process.command_line:*remus_log_aggregation*
Scenario: Development Environment Testing with Remus
Description: A developer is testing a Remus-based tool in a sandboxed development environment.
Filter/Exclusion: process.machine_name:*dev-* OR process.user:*dev*
Scenario: Remus Used for Internal Monitoring Tool
Description: The enterprise uses Remus as part of an internal monitoring and alerting system.
Filter/Exclusion: process.command_line:*remus_monitor* OR process.parent_process_name:*monitoring_service*
Scenario: Remus Integration with SIEM System
Description: Remus is integrated with the enterprise SIEM (e.g., Splunk, ELK) for real-time data ingestion.
Filter/Exclusion: process.parent_process_name:*splunk* OR process.parent_process_name:*elasticsearch*