ThreatFox: Mozi IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: Mozi IOCs rule detects potential adversary activity linked to the Mozi malware family by identifying known indicators of compromise associated with its command and control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats leveraging Mozi before significant data exfiltration or system compromise occurs.

IOC Summary

Malware Family: Mozi Total IOCs: 16 IOC Types: url

Type	Value	Threat Type	First Seen	Confidence
url	`hxxp://72[.]255[.]26[.]220:48951/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://153[.]117[.]15[.]25:54506/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://119[.]73[.]7[.]187:39650/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://103[.]98[.]191[.]25:49278/Mozi.a`	payload_delivery	2026-06-24	75%
url	`hxxp://124[.]29[.]194[.]65:59822/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://153[.]117[.]37[.]46:40580/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://72[.]255[.]33[.]140:45838/Mozi.a`	payload_delivery	2026-06-24	75%
url	`hxxp://103[.]197[.]112[.]191:35184/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://223[.]123[.]72[.]246:56586/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://72[.]255[.]18[.]159:35935/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://110[.]38[.]250[.]149:37006/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://153[.]117[.]32[.]235:57055/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://180[.]244[.]187[.]139:36196/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://153[.]117[.]13[.]30:33425/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://153[.]117[.]33[.]214:54146/Mozi.m`	payload_delivery	2026-06-24	75%
url	`hxxp://103[.]66[.]148[.]82:35099/Mozi.m`	payload_delivery	2026-06-24	75%

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Mozi
let malicious_urls = dynamic(["http://72.255.26.220:48951/Mozi.m", "http://153.117.15.25:54506/Mozi.m", "http://119.73.7.187:39650/Mozi.m", "http://103.98.191.25:49278/Mozi.a", "http://124.29.194.65:59822/Mozi.m", "http://153.117.37.46:40580/Mozi.m", "http://72.255.33.140:45838/Mozi.a", "http://103.197.112.191:35184/Mozi.m", "http://223.123.72.246:56586/Mozi.m", "http://72.255.18.159:35935/Mozi.m", "http://110.38.250.149:37006/Mozi.m", "http://153.117.32.235:57055/Mozi.m", "http://180.244.187.139:36196/Mozi.m", "http://153.117.13.30:33425/Mozi.m", "http://153.117.33.214:54146/Mozi.m", "http://103.66.148.82:35099/Mozi.m"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`UrlClickEvents`	Ensure this data connector is enabled

References

ThreatFox — Mozi

False Positive Guidance

Scenario: Legitimate scheduled job running Mozi-based automation
Filter/Exclusion: process.name != "mozi" or process.parent.name != "schtasks.exe"
Scenario: System administrator using Mozi for legitimate remote management
Filter/Exclusion: process.user != "admin_user" or process.parent.name != "mstsc.exe"
Scenario: Backup or migration tool using Mozi for data transfer
Filter/Exclusion: process.name != "backup_tool.exe" or process.parent.name != "rsync.exe"
Scenario: Development environment using Mozi for testing purposes
Filter/Exclusion: process.user != "dev_user" or process.parent.name != "VisualStudio.exe"
Scenario: IT support tool using Mozi for remote diagnostics
Filter/Exclusion: process.name != "remote_support_tool.exe" or process.parent.name != "TeamViewer.exe"