The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify malicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging Remus for data exfiltration or command and control operations.
IOC Summary
Malware Family: Remus Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | posdteu.shop | botnet_cc | 2026-06-06 | 100% |
| domain | mathlah.com | botnet_cc | 2026-06-06 | 100% |
| domain | gauravitechnologies.com | botnet_cc | 2026-06-06 | 100% |
| domain | onesevenapps.com | botnet_cc | 2026-06-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["posdteu.shop", "mathlah.com", "gauravitechnologies.com", "onesevenapps.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam may generate network traffic matching Remus IOCs due to data transfer.
Filter/Exclusion: Exclude traffic originating from or destined to Veeam backup servers, or filter based on known Veeam IP ranges.
Scenario: Microsoft Windows Update Task via Task Scheduler
Description: A system administrator may configure a scheduled task to pull updates from Microsoft Update, which could involve network activity resembling Remus IOCs.
Filter/Exclusion: Exclude traffic to Microsoft Update endpoints (e.g., update.microsoft.com) or filter by process name svchost.exe or wuauclt.exe.
Scenario: Log Management with Splunk Forwarder
Description: A Splunk Universal Forwarder may send logs to a Splunk Indexer, which could be misinterpreted as Remus-related traffic.
Filter/Exclusion: Exclude traffic from known Splunk forwarder IP ranges or filter by process name splunkforwarder.exe.
Scenario: Database Replication Using Oracle Data Guard
Description: Oracle Data Guard replication may involve network communication that could be flagged by the Remus detection rule.
Filter/Exclusion: Exclude traffic to Oracle-specific endpoints or filter by process name oracle.exe or tnsping.exe.
Scenario: Admin Task Using PowerShell for System Monitoring
Description: A system administrator may use PowerShell scripts to monitor system performance, which could generate network activity similar to Remus IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by admin accounts or filter by process name powershell.exe with known admin user context.