The ThreatFox: Remus IOCs rule detects potential adversary activity linked to the Remus malware family, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the environment.
IOC Summary
Malware Family: Remus Total IOCs: 66 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 76[.]223[.]67[.]189:6584 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 13[.]248[.]213[.]45:6584 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 38[.]47[.]176[.]90:8938 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 148[.]230[.]76[.]66:6390 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 72[.]62[.]195[.]74:6473 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 191[.]44[.]68[.]60:6004 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 143[.]244[.]143[.]195:9504 | botnet_cc | 2026-06-10 | 75% |
| url | hxxp://mascard.biz:8768 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 147[.]93[.]102[.]159:4219 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 167[.]71[.]217[.]41:7538 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 185[.]239[.]236[.]212:9321 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 72[.]60[.]241[.]82:8954 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 128[.]199[.]189[.]103:8747 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 143[.]244[.]141[.]221:9432 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 195[.]211[.]191[.]95:9549 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 180[.]188[.]198[.]176:8938 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 165[.]227[.]199[.]109:5789 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 195[.]222[.]53[.]130:5200 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 72[.]62[.]195[.]74:6590 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 139[.]59[.]137[.]44:4219 | botnet_cc | 2026-06-10 | 75% |
| url | hxxp://zsigmu.shop:7673 | botnet_cc | 2026-06-10 | 75% |
| url | hxxp://tryjellie.com:5747 | botnet_cc | 2026-06-10 | 75% |
| url | hxxp://thequarterlymethod.com:6584 | botnet_cc | 2026-06-10 | 75% |
| url | hxxp://tricshp.shop:4437 | botnet_cc | 2026-06-10 | 75% |
| url | hxxp://solvueo.shop:8938 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["128.199.189.103", "185.239.236.212", "72.60.241.82", "143.244.143.195", "195.211.191.95", "191.44.68.60", "76.223.67.189", "72.62.195.74", "147.93.102.159", "13.248.213.45", "148.230.76.66", "38.47.176.90", "143.244.141.221", "195.222.53.130", "165.227.199.109", "139.59.137.44", "180.188.198.176", "167.71.217.41"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["128.199.189.103", "185.239.236.212", "72.60.241.82", "143.244.143.195", "195.211.191.95", "191.44.68.60", "76.223.67.189", "72.62.195.74", "147.93.102.159", "13.248.213.45", "148.230.76.66", "38.47.176.90", "143.244.141.221", "195.222.53.130", "165.227.199.109", "139.59.137.44", "180.188.198.176", "167.71.217.41"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://mascard.biz:8768", "http://zsigmu.shop:7673", "http://tryjellie.com:5747", "http://thequarterlymethod.com:6584", "http://tricshp.shop:4437", "http://solvueo.shop:8938", "http://socihr.lol:4219", "http://sivaph.shop:6390", "http://shivlpf.shop:6473", "http://sagaraya.vip:6004", "http://ropea.top:28313", "http://repqst.shop:7688", "http://ponzchq.shop:9504", "http://pickad.shop:8478", "http://padaz.pics:4219", "http://organp.shop:7538", "http://orderre.shop:4190", "http://morkaj.bet:8768", "http://moisca.com:8938", "http://menomou.shop:7049", "http://mandtar.shop:7538", "http://mammeap.shop:4219", "http://jirensolutions.com:5747", "http://iuta.today:8521", "http://intem.lat:9592", "http://intelvissions.com:5747", "http://godsblueprintforyourmarriage.com:5200", "http://forehia.shop:4538", "http://famwili.shop:9321", "http://falcoju.shop:9895"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may generate network traffic that matches some of the Remus IOCs, such as connections to internal IP ranges or use of common administrative tools.
Suggested Filter/Exclusion: Exclude traffic originating from or destined to the Veeam backup server, or filter by process name VeeamBackup.exe.
Scenario: Windows Task Scheduler Running PowerShell Scripts
Description: A legitimate administrative task using PowerShell scripts (e.g., powershell.exe -Command) to automate system maintenance or configuration management could trigger the rule if the script uses IOCs associated with Remus.
Suggested Filter/Exclusion: Filter by process name powershell.exe with a command line containing known administrative tasks (e.g., Get-Service, Get-EventLog).
Scenario: Microsoft SQL Server Agent Job Execution
Description: A SQL Server Agent job running T-SQL scripts or using SQL Server Management Studio (SSMS) may generate activity that matches Remus IOCs, especially if it involves network connections or file system access.
Suggested Filter/Exclusion: Exclude activity from the SQL Server Agent service or filter by process name sqlservr.exe or ssms.exe.
Scenario: Windows Update or Patch Management via Windows Server Update Services (WSUS)
Description: WSUS may initiate network traffic to internal servers or use tools like wuauclt.exe that could be flagged by the Remus detection rule.
Suggested Filter/Exclusion: Exclude traffic from the WSUS server or filter by process name wuauclt.exe during known update windows.
Scenario: Log Management Using Splunk or ELK Stack
Description: Log collection processes using