ThreatFox: Mozi IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: Mozi IOCs rule detects potential adversary activity linked to the Mozi malware family through known indicators of compromise, which are commonly used in targeted attacks to establish persistence and exfiltrate data. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the environment.

IOC Summary

Malware Family: Mozi Total IOCs: 70 IOC Types: url, sha256_hash

Type	Value	Threat Type	First Seen	Confidence
url	`hxxp://27[.]215[.]55[.]164:43326/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://223[.]123[.]42[.]234:43318/Mozi.a`	payload_delivery	2026-06-19	75%
url	`hxxp://223[.]123[.]38[.]127:60991/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://103[.]141[.]5[.]137:41713/Mozi.a`	payload_delivery	2026-06-19	75%
sha256_hash	`f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8`	payload	2026-06-19	80%
sha256_hash	`12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef`	payload	2026-06-19	80%
url	`hxxp://160[.]30[.]142[.]218:34669/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://175[.]107[.]230[.]24:57256/Mozi.a`	payload_delivery	2026-06-19	75%
url	`hxxp://153[.]117[.]37[.]104:59732/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://72[.]255[.]32[.]68:46117/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://59[.]103[.]100[.]2:33514/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://115[.]55[.]85[.]7:55027/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://103[.]115[.]199[.]18:53070/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://153[.]117[.]33[.]228:44081/Mozi.a`	payload_delivery	2026-06-19	75%
url	`hxxp://103[.]173[.]7[.]226:33627/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://202[.]47[.]56[.]219:49775/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://59[.]97[.]250[.]56:43042/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://110[.]39[.]233[.]163:45754/Mozi.a`	payload_delivery	2026-06-19	75%
url	`hxxp://36[.]255[.]44[.]120:49117/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://223[.]123[.]125[.]13:46831/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://175[.]107[.]212[.]44:38058/Mozi.a`	payload_delivery	2026-06-19	75%
url	`hxxp://144[.]48[.]130[.]229:38194/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://153[.]117[.]51[.]96:36126/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://153[.]117[.]6[.]120:50638/Mozi.m`	payload_delivery	2026-06-19	75%
url	`hxxp://122[.]50[.]1[.]26:33627/Mozi.m`	payload_delivery	2026-06-19	75%

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Mozi
let malicious_urls = dynamic(["http://27.215.55.164:43326/Mozi.m", "http://223.123.42.234:43318/Mozi.a", "http://223.123.38.127:60991/Mozi.m", "http://103.141.5.137:41713/Mozi.a", "http://160.30.142.218:34669/Mozi.m", "http://175.107.230.24:57256/Mozi.a", "http://153.117.37.104:59732/Mozi.m", "http://72.255.32.68:46117/Mozi.m", "http://59.103.100.2:33514/Mozi.m", "http://115.55.85.7:55027/Mozi.m", "http://103.115.199.18:53070/Mozi.m", "http://153.117.33.228:44081/Mozi.a", "http://103.173.7.226:33627/Mozi.m", "http://202.47.56.219:49775/Mozi.m", "http://59.97.250.56:43042/Mozi.m", "http://110.39.233.163:45754/Mozi.a", "http://36.255.44.120:49117/Mozi.m", "http://223.123.125.13:46831/Mozi.m", "http://175.107.212.44:38058/Mozi.a", "http://144.48.130.229:38194/Mozi.m", "http://153.117.51.96:36126/Mozi.m", "http://153.117.6.120:50638/Mozi.m", "http://122.50.1.26:33627/Mozi.m", "http://101.31.81.241:51191/Mozi.a", "http://223.123.72.190:60788/Mozi.m", "http://125.45.68.162:39862/Mozi.a", "http://102.33.46.27:37709/Mozi.m", "http://115.42.75.105:44616/Mozi.m", "http://14.1.104.134:40274/Mozi.a", "http://103.18.14.247:60764/Mozi.m"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - Mozi
let malicious_hashes = dynamic(["f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8", "12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled
`UrlClickEvents`	Ensure this data connector is enabled

References

ThreatFox — Mozi

False Positive Guidance

Scenario: Legitimate use of PowerShell for administrative tasks
Filter/Exclusion: process.name = powershell.exe and process.args NOT LIKE '%Mozi%' and process.args NOT LIKE '%ThreatFox%'
Scenario: Scheduled job running task scheduler to perform system maintenance
Filter/Exclusion: process.name = taskhost.exe and process.parent.name = services.exe and process.args NOT LIKE '%Mozi%'
Scenario: Use of Windows Management Instrumentation (WMI) for system monitoring
Filter/Exclusion: process.name = wmi.exe and process.args NOT LIKE '%Mozi%' and process.args NOT LIKE '%query%'
Scenario: Legitimate use of Log Parser for log analysis
Filter/Exclusion: process.name = logparser.exe and process.args NOT LIKE '%Mozi%' and process.args NOT LIKE '%sql%'
Scenario: Use of Sysmon for monitoring system events
Filter/Exclusion: process.name = sysmon64.exe and process.args NOT LIKE '%Mozi%' and process.args NOT LIKE '%eventlog%'