The ThreatFox: Remus IOCs rule detects potential adversary activity linked to the Remus malware family by identifying known malicious indicators associated with its command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from advanced persistent threats leveraging Remus.
IOC Summary
Malware Family: Remus Total IOCs: 3 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 139[.]59[.]137[.]44:5003 | botnet_cc | 2026-06-15 | 75% |
| url | hxxp://apprxc.xyz:5003 | botnet_cc | 2026-06-15 | 75% |
| url | hxxp://littletonlawnpro.com:5789 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["139.59.137.44"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["139.59.137.44"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://apprxc.xyz:5003", "http://littletonlawnpro.com:5789"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup task using rsync to transfer data between servers, which may trigger the rsync IOC associated with Remus.
Filter/Exclusion: Check for rsync commands executed within a known backup directory (/backup/), and filter by user (backup_user) and time window (e.g., during nightly maintenance).
Scenario: System update using apt or yum
Description: A system update process using apt (Debian/Ubuntu) or yum (CentOS/RHEL) might include packages or commands that match Remus IOCs.
Filter/Exclusion: Filter for apt update, apt upgrade, yum update, or dnf upgrade commands, and exclude any activity outside of known update windows.
Scenario: Admin task using cron or systemd for log rotation
Description: A cron job or systemd service configured for log rotation (e.g., logrotate) may trigger IOCs if the command or script name matches Remus indicators.
Filter/Exclusion: Check for logrotate commands, and filter by user (root or logrotate) and command-line arguments related to log files (/var/log/).
Scenario: Legitimate remote management tool like ssh or telnet
Description: A legitimate remote administration session using ssh or telnet might include commands or IPs that match Remus IOCs.
Filter/Exclusion: Filter for ssh or telnet connections from known admin IPs, and check for user authentication (e.g., root, admin) and session duration.
**Scenario: Security tool or SIEM integration using splunk or