The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware family, leveraging known indicators of compromise to identify suspicious behavior. SOC teams should proactively hunt for this in Azure Sentinel to detect and respond to advanced persistent threats that may be leveraging Remus for data exfiltration or lateral movement.
IOC Summary
Malware Family: Remus Total IOCs: 7 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | moisca.com | botnet_cc | 2026-06-09 | 100% |
| domain | carogra.biz | botnet_cc | 2026-06-09 | 100% |
| domain | brazpi.shop | botnet_cc | 2026-06-09 | 100% |
| domain | godsblueprintforyourmarriage.com | botnet_cc | 2026-06-09 | 100% |
| domain | lmc014command.com | botnet_cc | 2026-06-09 | 100% |
| domain | gohan-suki.com | botnet_cc | 2026-06-09 | 100% |
| domain | eurogulf-group.com | botnet_cc | 2026-06-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["moisca.com", "carogra.biz", "brazpi.shop", "godsblueprintforyourmarriage.com", "lmc014command.com", "gohan-suki.com", "eurogulf-group.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using WSUS (Windows Server Update Services)
Filter/Exclusion: Check if the IOC is associated with a known WSUS update package or a legitimate Microsoft update. Use the process.parent_process field to verify if the process is initiated by a trusted update service.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Filter by process.name to exclude Veeam-related processes, or check the process.command_line for known Veeam backup commands.
Scenario: Administrative task using PowerShell for system configuration
Filter/Exclusion: Use process.name to exclude PowerShell processes that are known to be used by administrators for legitimate system management tasks. Include a filter for process.parent_process to identify tasks initiated by trusted administrative tools.
Scenario: Log collection or monitoring tool like Splunk or ELK Stack
Filter/Exclusion: Filter by process.name to exclude Splunk or Elasticsearch processes, or use process.command_line to identify known log collection activities.
Scenario: Automated deployment using Ansible or Chef
Filter/Exclusion: Use process.name to exclude Ansible or Chef processes, or check the process.command_line for known deployment scripts or modules used in legitimate automation workflows.