The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify malicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging Remus for data exfiltration or command and control operations.
IOC Summary
Malware Family: Remus Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | revvedupdirect.com | botnet_cc | 2026-05-26 | 100% |
| domain | worksdigitaldeals.com | botnet_cc | 2026-05-26 | 100% |
| domain | indiaz.shop | botnet_cc | 2026-05-26 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["revvedupdirect.com", "worksdigitaldeals.com", "indiaz.shop"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam may generate files matching known Remus IOCs due to similar file naming patterns.
Filter/Exclusion: Exclude files with the .vib extension or files created by Veeam Backup & Replication processes.
Scenario: Windows Task Scheduler Running PowerShell Scripts for System Maintenance
Description: A system admin may use PowerShell scripts (e.g., PSConfig.exe, TaskScheduler.exe) to perform routine maintenance tasks, which could trigger the rule due to similar command-line activity.
Filter/Exclusion: Exclude processes initiated by the schtasks.exe command or with the Microsoft or System user context.
Scenario: Docker Container Management with Docker CLI Tools
Description: Docker CLI tools (e.g., docker, docker-compose) may generate IOCs that match Remus indicators due to similar command-line arguments or file structures.
Filter/Exclusion: Exclude processes running in a Docker container or with the docker command-line interface.
Scenario: Log Management with Splunk Forwarder
Description: The Splunk Universal Forwarder may generate logs or temporary files that match Remus IOCs due to similar file handling patterns.
Filter/Exclusion: Exclude files or processes associated with the splunkforwarder executable or located in Splunk’s temporary directories.
Scenario: Admin Task Using PowerShell for Patch Management
Description: A system administrator may use PowerShell scripts (e.g., PSUpdate.exe, PSConfig.exe) to apply patches or updates, which could trigger the rule due to similar execution patterns.
Filter/Exclusion: Exclude processes initiated by the PowerShell.exe command with admin privileges or associated with known patch management tools.