The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and system integrity.
IOC Summary
Malware Family: Remus Total IOCs: 12 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 93[.]127[.]214[.]44:7802 | botnet_cc | 2026-05-06 | 75% |
| domain | losslvs.surf | botnet_cc | 2026-05-06 | 100% |
| ip:port | 138[.]68[.]148[.]118:8299 | botnet_cc | 2026-05-06 | 75% |
| domain | solidgma.biz | botnet_cc | 2026-05-06 | 100% |
| ip:port | 68[.]183[.]161[.]221:4895 | botnet_cc | 2026-05-06 | 75% |
| domain | outcrol.biz | botnet_cc | 2026-05-06 | 100% |
| domain | odoriu.shop | botnet_cc | 2026-05-06 | 100% |
| domain | havelbeenpwned.net | botnet_cc | 2026-05-06 | 100% |
| domain | mlbft.com | botnet_cc | 2026-05-06 | 100% |
| domain | maxhealthinsadvantage.com | botnet_cc | 2026-05-06 | 100% |
| domain | alfeeha.online | botnet_cc | 2026-05-06 | 100% |
| ip:port | 195[.]201[.]103[.]159:9403 | botnet_cc | 2026-05-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["68.183.161.221", "138.68.148.118", "93.127.214.44", "195.201.103.159"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["68.183.161.221", "138.68.148.118", "93.127.214.44", "195.201.103.159"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["losslvs.surf", "solidgma.biz", "outcrol.biz", "odoriu.shop", "havelbeenpwned.net", "mlbft.com", "maxhealthinsadvantage.com", "alfeeha.online"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam may generate network traffic that matches Remus IOCs due to similar communication patterns.
Filter/Exclusion: Exclude traffic originating from or destined to Veeam backup servers, or filter based on known Veeam-related IP ranges or domain names.
Scenario: Admin Task: Windows Task Scheduler Running PowerShell Scripts
Description: An administrator may use PowerShell scripts via Task Scheduler to perform routine system maintenance, which could trigger the rule if the script uses commands or network connections similar to Remus.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler or filter based on the CommandLine field containing known admin tools or scripts.
Scenario: Log Collection Using Graylog or ELK Stack
Description: Log aggregation tools like Graylog or ELK may send data to a central server, which could be misidentified as Remus-related network activity.
Filter/Exclusion: Exclude traffic to known log management server IPs or domains, or filter based on the DestinationPort (e.g., 514 for syslog).
Scenario: Software Update via Microsoft Intune or SCCM
Description: Automated software updates pushed via Microsoft Intune or SCCM may involve network communication that resembles Remus IOCs.
Filter/Exclusion: Exclude traffic to Microsoft update servers or filter based on the DestinationIP matching Microsoft’s known IP ranges.
Scenario: Remote Desktop Services (RDP) Session from Internal IP
Description: A legitimate RDP session from an internal IP address may trigger the rule if the connection pattern matches Remus behavior.
Filter/Exclusion: Exclude connections originating from internal IP ranges or filter based on the SourceIP field matching internal network ranges.