The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, leveraging known indicators of compromise to identify suspicious network or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging Remus for data exfiltration or command and control operations.
IOC Summary
Malware Family: Remus Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 213[.]199[.]54[.]45:8768 | botnet_cc | 2026-05-08 | 75% |
| domain | kinderplow.com | botnet_cc | 2026-05-08 | 100% |
| ip:port | 104[.]237[.]159[.]87:5782 | botnet_cc | 2026-05-08 | 75% |
| domain | merrywannainq.com | botnet_cc | 2026-05-08 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["213.199.54.45", "104.237.159.87"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["213.199.54.45", "104.237.159.87"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["kinderplow.com", "merrywannainq.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using remus as part of a legitimate system management tool
Filter/Exclusion: Exclude processes initiated by known patch management tools (e.g., Microsoft Update, WSUS, Ansible, Chef) or during scheduled maintenance windows.
Scenario: Scheduled backup job using remus for data replication or mirroring
Filter/Exclusion: Exclude processes associated with backup tools (e.g., Veeam, Commvault, Veritas) or during predefined backup windows.
Scenario: Admin task to configure or manage network devices using remus as a configuration tool
Filter/Exclusion: Exclude processes initiated by network management tools (e.g., Cisco Prime, SolarWinds, NetMRI) or by users with elevated privileges (e.g., sudo, runas).
Scenario: Log analysis or monitoring tool using remus for log parsing or event correlation
Filter/Exclusion: Exclude processes associated with log management tools (e.g., Splunk, ELK Stack, Graylog) or running under a dedicated monitoring service account.
Scenario: Development or testing environment using remus for internal tooling or CI/CD pipeline
Filter/Exclusion: Exclude processes running in development environments (e.g., Jenkins, GitLab CI, Docker) or under specific development user groups.