The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and system integrity.
IOC Summary
Malware Family: Remus Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | singaposta.world | botnet_cc | 2026-05-17 | 100% |
| domain | gayhardsystem.world | botnet_cc | 2026-05-17 | 100% |
| domain | ponzchq.shop | botnet_cc | 2026-05-17 | 100% |
| domain | coyahome.com | botnet_cc | 2026-05-17 | 100% |
| domain | stayba.shop | botnet_cc | 2026-05-17 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["singaposta.world", "gayhardsystem.world", "ponzchq.shop", "coyahome.com", "stayba.shop"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule due to similar file or network activity.
Filter/Exclusion: Check for process.name containing “Veeam” or process.path containing “Veeam” in the event logs.
Scenario: Windows Task Scheduler Running Administrative Scripts
Description: A legitimate administrative task, such as running a PowerShell script via Task Scheduler, may match the IOCs if the script uses similar command-line arguments or file paths.
Filter/Exclusion: Filter by process.name containing “schtasks” or “TaskScheduler” or check for event_id related to Task Scheduler execution.
Scenario: Microsoft Endpoint Protection (EPP) Scan Activity
Description: Antivirus or endpoint protection tools like Microsoft Defender may perform scans that include similar file or network IOCs.
Filter/Exclusion: Check for process.name containing “mpcmdrun.exe” or “Microsoft Defender” in the event logs.
Scenario: Log Management Tool Collecting Logs via Filebeat
Description: A legitimate log collection tool like Filebeat may interact with system files or use similar network connections that match the Remus IOCs.
Filter/Exclusion: Filter by process.name containing “filebeat” or check for process.args containing “log” or “syslog”.
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job performing a database backup may trigger the rule due to file system or network activity that resembles malicious behavior.
Filter/Exclusion: Check for process.name containing “sqlservr.exe” or “sqlagent” in the event logs.