The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify malicious behavior. SOC teams should proactively hunt for this in Azure Sentinel to detect and respond to advanced persistent threats that may be leveraging Remus for data exfiltration or lateral movement.
IOC Summary
Malware Family: Remus Total IOCs: 5 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | khabarraja.com | botnet_cc | 2026-06-19 | 100% |
| domain | flowmasterservices.com | botnet_cc | 2026-06-19 | 100% |
| url | hxxp://flowmasterservices.com:4437 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 167[.]99[.]78[.]100:4437 | botnet_cc | 2026-06-19 | 75% |
| url | hxxp://khabarraja.com:4437 | botnet_cc | 2026-06-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["167.99.78.100"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.99.78.100"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["khabarraja.com", "flowmasterservices.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://flowmasterservices.com:4437", "http://khabarraja.com:4437"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate backup process using Veeam may generate network traffic that matches Remus IOCs, such as connecting to a known C2 IP or using a suspicious domain.
Filter/Exclusion: Exclude traffic originating from the Veeam backup server or involving known Veeam-related domains (e.g., veeam.com, backup-vm.com).
Scenario: Admin Task Using PowerShell for System Maintenance
Description: An administrator may run PowerShell scripts to perform system maintenance, which could involve downloading or executing files that match Remus IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by users with administrative privileges or those containing known maintenance command patterns (e.g., Get-ChildItem, Invoke-Command).
Scenario: Log Collection Using Splunk Forwarder
Description: The Splunk Universal Forwarder may send logs to a central Splunk server, which could be misinterpreted as Remus-related network activity.
Filter/Exclusion: Exclude traffic to the Splunk server IP or involving Splunk-specific headers (e.g., splunkforwarder, splunkd).
Scenario: Software Update Using Microsoft Intune
Description: A software update process managed by Microsoft Intune may involve downloading files from Microsoft servers that could be flagged as Remus IOCs.
Filter/Exclusion: Exclude traffic to Microsoft update servers (e.g., windowsupdate.microsoft.com, download.microsoft.com) or files signed by Microsoft.
Scenario: Database Backup Using Oracle Data Pump
Description: Oracle Data Pump backups may involve temporary file creation or network transfers that could trigger Remus-related detection logic.
Filter/Exclusion: Exclude processes initiated by the Oracle database service or involving known Oracle backup file extensions (