The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify malicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be leveraging Remus for data exfiltration or command and control operations.
IOC Summary
Malware Family: Remus Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | youngel.biz | botnet_cc | 2026-05-28 | 100% |
| domain | tryjellie.com | botnet_cc | 2026-05-28 | 100% |
| domain | jirensolutions.com | botnet_cc | 2026-05-28 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["youngel.biz", "tryjellie.com", "jirensolutions.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Using rsync
Description: A scheduled job runs rsync to back up system files to a remote server, which may match the IOCs associated with Remus due to similar command-line syntax.
Filter/Exclusion: Exclude processes where the command line contains rsync and the destination path is a known backup directory (e.g., /backup/ or /var/backups/).
Scenario: Admin Task Using tar for Archive Management
Description: An administrator uses tar to archive log files or configuration backups, which may resemble the IOCs linked to Remus due to similar file operations.
Filter/Exclusion: Exclude processes where the command line includes tar and the output file path is within a system log or configuration directory (e.g., /var/log/ or /etc/).
Scenario: Scheduled Job for Log Rotation Using logrotate
Description: A cron job runs logrotate to manage log files, which may trigger the rule if the IOCs include log-related paths or commands.
Filter/Exclusion: Exclude processes where the command line includes logrotate and the log files are located in standard log directories (e.g., /var/log/).
Scenario: Software Update Using apt or yum
Description: A system update via apt or yum may involve downloading packages from a repository, which could be mistaken for malicious activity if the IOCs include package download patterns.
Filter/Exclusion: Exclude processes where the command line includes apt or yum and the download URL is a known package repository (e.g., http://archive.ubuntu.com or https://repo.centos.org).
**Scenario: Network Monitoring Tool Using `tcpdump