The ThreatFox: Remus IOCs rule detects potential adversary activity associated with the Remus malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and system integrity.
IOC Summary
Malware Family: Remus Total IOCs: 6 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 195[.]211[.]191[.]24:7673 | botnet_cc | 2026-05-19 | 75% |
| domain | ciuzdaw.shop | botnet_cc | 2026-05-19 | 100% |
| ip:port | 143[.]198[.]192[.]17:4538 | botnet_cc | 2026-05-19 | 75% |
| domain | ryoubornagain.com | botnet_cc | 2026-05-19 | 100% |
| domain | rootsandextracts.com | botnet_cc | 2026-05-19 | 100% |
| domain | material-deals.com | botnet_cc | 2026-05-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["195.211.191.24", "143.198.192.17"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["195.211.191.24", "143.198.192.17"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["ciuzdaw.shop", "ryoubornagain.com", "rootsandextracts.com", "material-deals.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOCs associated with Remus, such as using remus in a script name or command.
Filter/Exclusion: process.name != "schtasks.exe" OR process.parent.name == "task scheduler" OR file.name contains "maintenance"
Scenario: Admin Performing Log Analysis with Remus Tool
Description: An admin is using the Remus tool (a legitimate log analysis tool) to review system logs, which may trigger the IOC match.
Filter/Exclusion: process.name contains "remus" AND user.name contains "admin" OR process.parent.name contains "powershell"
Scenario: Automated Backup Job Using Remus-Related Scripts
Description: A backup job uses a script that includes terms like “remus” in the script name or command line, causing a false positive.
Filter/Exclusion: process.name contains "backup" OR process.parent.name contains "schtasks.exe" OR file.path contains "backup"
Scenario: User Running a Legitimate Application with Similar Name
Description: A user runs a legitimate application with a name similar to “remus,” such as “remus.exe” (a non-malicious tool), triggering the rule.
Filter/Exclusion: file.name contains "remus.exe" AND process.parent.name contains "explorer.exe" OR user.name contains "user"
Scenario: System Update or Patching Process
Description: A system update or patching process includes files or commands that match the Remus IOCs due to shared naming or command-line arguments.
Filter/Exclusion: process.name contains "wusa.exe" OR `process.name contains “msiexec.exe