The ThreatFox: Mozi IOCs rule detects potential adversary activity associated with the Mozi malware family by identifying known indicators of compromise linked to its deployment and execution. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats leveraging Mozi before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: Mozi Total IOCs: 7 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://82[.]144[.]86[.]37:38207/Mozi.m | payload_delivery | 2026-06-21 | 75% |
| url | hxxp://119[.]73[.]19[.]131:53332/Mozi.m | payload_delivery | 2026-06-21 | 75% |
| url | hxxp://110[.]38[.]254[.]172:58822/Mozi.m | payload_delivery | 2026-06-21 | 75% |
| url | hxxp://153[.]117[.]15[.]86:42008/Mozi.m | payload_delivery | 2026-06-21 | 75% |
| url | hxxp://223[.]123[.]42[.]235:41900/Mozi.a | payload_delivery | 2026-06-21 | 75% |
| url | hxxp://110[.]39[.]255[.]247:35440/Mozi.m | payload_delivery | 2026-06-21 | 75% |
| url | hxxp://110[.]36[.]86[.]0:55983/Mozi.m | payload_delivery | 2026-06-21 | 75% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Mozi
let malicious_urls = dynamic(["http://82.144.86.37:38207/Mozi.m", "http://119.73.19.131:53332/Mozi.m", "http://110.38.254.172:58822/Mozi.m", "http://153.117.15.86:42008/Mozi.m", "http://223.123.42.235:41900/Mozi.a", "http://110.39.255.247:35440/Mozi.m", "http://110.36.86.0:55983/Mozi.m"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using msiexec.exe
Filter/Exclusion: Exclude processes where msiexec.exe is used with valid update packages (e.g., msiexec /i "C:\Windows\Temp\update.msi") and check the file hash against known good hashes.
Scenario: Scheduled backup job using vssadmin.exe
Filter/Exclusion: Exclude processes initiated by the vssadmin tool during scheduled backup windows, identified by the presence of the Backup task in Task Scheduler or specific command-line arguments like /backup.
Scenario: Admin task using taskkill.exe to terminate a non-malicious process
Filter/Exclusion: Exclude taskkill.exe commands that target well-known system or application processes (e.g., taskkill /pid 1234 /f) and are executed by local administrators during routine maintenance.
Scenario: Log file parsing using logparser.exe
Filter/Exclusion: Exclude instances where logparser.exe is used to analyze system or application logs (e.g., logparser "SELECT * INTO C:\logs\output.log FROM C:\logs\input.log") and is executed by the System or LocalService account.
Scenario: Software deployment using msiexec.exe with a legitimate installer
Filter/Exclusion: Exclude msiexec.exe processes that are part of a known software deployment (e.g., msiexec /i "C:\Software\installer.msi") and are executed by a trusted deployment tool or service account.