The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify malicious network traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: Remus Total IOCs: 3 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://mathlah.com:9432 | botnet_cc | 2026-06-20 | 75% |
| domain | khabarraja.com | botnet_cc | 2026-06-19 | 100% |
| domain | flowmasterservices.com | botnet_cc | 2026-06-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["khabarraja.com", "flowmasterservices.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://mathlah.com:9432"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remus IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude tasks with taskname containing “system maintenance” or “scheduled maintenance” and check for commandline containing schtasks or at.
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PowerShell or Task Scheduler to execute a script that coincidentally matches the Remus IOC.
Filter/Exclusion: Exclude processes with processname containing powershell.exe or taskhost.exe and check for user field being a known admin account.
Scenario: Log File Parsing Job
Description: A log parsing job (e.g., LogParser or Splunk) processes logs and generates output that matches the Remus IOC pattern.
Filter/Exclusion: Exclude processes with processname containing “logparser” or “splunk” and filter by destination or file paths associated with log processing.
Scenario: Software Update Deployment
Description: A software update (e.g., from WSUS or Microsoft Update) includes a file that matches the Remus IOC due to similar naming.
Filter/Exclusion: Exclude processes with processname containing “wsus” or “wuauserv” and check for file paths within known update directories.
Scenario: Custom Script for Compliance Audit
Description: A custom script written for compliance or audit purposes (e.g., AuditTool.exe) includes a file or command that matches the Remus IOC.
Filter/Exclusion: Exclude processes with processname containing “audittool” or “compliance” and check