The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify malicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging Remus for data exfiltration or command and control operations.
IOC Summary
Malware Family: Remus Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | famwili.shop | botnet_cc | 2026-05-20 | 100% |
| domain | genusaqe.biz | botnet_cc | 2026-05-20 | 100% |
| domain | mandtar.shop | botnet_cc | 2026-05-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["famwili.shop", "genusaqe.biz", "mandtar.shop"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may generate network traffic that matches Remus IOCs due to its use of similar communication patterns.
Filter/Exclusion: Check for process.name containing “Veeam” or “veeam” and filter out traffic originating from known backup servers.
Scenario: Microsoft Update Agent Performing Scheduled Patching
Description: The Microsoft Update Agent may trigger network activity that resembles Remus behavior during scheduled patching tasks.
Filter/Exclusion: Filter out traffic from process.name containing “wuau” or “Microsoft Update” and check for destination.port matching known Microsoft update ports (e.g., 80, 443, 8530).
Scenario: Admin Task Using PowerShell for System Monitoring
Description: A system administrator may use PowerShell scripts (e.g., Get-EventLog, Get-Service) to monitor system performance, which could generate IOCs similar to Remus.
Filter/Exclusion: Filter out processes with process.name containing “powershell.exe” and check for user.name matching known admin accounts.
Scenario: Log Management Tool Using Splunk Forwarder
Description: The Splunk Forwarder may send logs to a Splunk indexer, which could be misinterpreted as Remus-related network activity.
Filter/Exclusion: Filter out traffic from process.name containing “splunkforwarder” and check for destination.address matching internal Splunk server IPs.
Scenario: Database Maintenance Job Using SQL Server Agent
Description: A SQL Server Agent job may generate outbound traffic to a database server, which could be flagged due to similar network patterns as Remus.
*Filter/Ex