The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may be leveraging Remus to maintain long-term access and steal sensitive data.
IOC Summary
Malware Family: Remus Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | zsigmu.shop | botnet_cc | 2026-05-21 | 100% |
| domain | dafkov.shop | botnet_cc | 2026-05-21 | 100% |
| domain | chriysn.shop | botnet_cc | 2026-05-21 | 100% |
| domain | sheetmancer.com | botnet_cc | 2026-05-21 | 100% |
| domain | shivlpf.shop | botnet_cc | 2026-05-21 | 100% |
| domain | solvueo.shop | botnet_cc | 2026-05-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["zsigmu.shop", "dafkov.shop", "chriysn.shop", "sheetmancer.com", "shivlpf.shop", "solvueo.shop"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam may generate files matching Remus IOCs due to similar file naming patterns.
Filter/Exclusion: Exclude files with the .vmbk or .vbk extensions, or filter by process name VeeamBackup.exe.
Scenario: Admin Task: PowerShell Script for Log Rotation
Description: A system administrator may run a PowerShell script to rotate logs, which could inadvertently match Remus IOC patterns in log files.
Filter/Exclusion: Exclude processes with the powershell.exe command line containing -File or -Command with paths to known admin scripts.
Scenario: Software Update Deployment via SCCM (System Center Configuration Manager)
Description: A software update deployment using SCCM may include files that match Remus IOCs due to similar file hashes or names.
Filter/Exclusion: Exclude files with the sms or ccm directory structure, or filter by process name ccmexec.exe.
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job performing a database backup may generate temporary files that match Remus IOCs.
Filter/Exclusion: Exclude files with the .bak extension or processes running under the sqlservr.exe process name.
Scenario: Network Monitoring Tool Using Wireshark for Traffic Analysis
Description: A network analyst using Wireshark to capture and analyze traffic may generate pcap files that match Remus IOCs due to similar file patterns.
Filter/Exclusion: Exclude files with the .pcap or .cap extensions, or filter by process name wireshark.exe.