The ThreatFox: Mozi IOCs rule detects potential adversarial activity linked to the Mozi malware family by identifying known indicators of compromise associated with its deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they cause significant damage to the environment.
IOC Summary
Malware Family: Mozi Total IOCs: 10 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://103[.]186[.]77[.]95:49560/Mozi.a | payload_delivery | 2026-06-20 | 75% |
| url | hxxp://72[.]255[.]3[.]39:41763/Mozi.m | payload_delivery | 2026-06-20 | 75% |
| url | hxxp://153[.]117[.]13[.]227:34153/Mozi.m | payload_delivery | 2026-06-20 | 75% |
| url | hxxp://153[.]117[.]15[.]187:54011/Mozi.m | payload_delivery | 2026-06-20 | 75% |
| url | hxxp://223[.]123[.]124[.]121:60095/Mozi[.]7 | payload_delivery | 2026-06-20 | 75% |
| url | hxxp://45[.]230[.]66[.]112:11404/Mozi.m | payload_delivery | 2026-06-20 | 75% |
| url | hxxp://27[.]215[.]55[.]164:43326/Mozi.m | payload_delivery | 2026-06-19 | 75% |
| url | hxxp://223[.]123[.]42[.]234:43318/Mozi.a | payload_delivery | 2026-06-19 | 75% |
| url | hxxp://223[.]123[.]38[.]127:60991/Mozi.m | payload_delivery | 2026-06-19 | 75% |
| url | hxxp://103[.]141[.]5[.]137:41713/Mozi.a | payload_delivery | 2026-06-19 | 75% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Mozi
let malicious_urls = dynamic(["http://103.186.77.95:49560/Mozi.a", "http://72.255.3.39:41763/Mozi.m", "http://153.117.13.227:34153/Mozi.m", "http://153.117.15.187:54011/Mozi.m", "http://223.123.124.121:60095/Mozi.7", "http://45.230.66.112:11404/Mozi.m", "http://27.215.55.164:43326/Mozi.m", "http://223.123.42.234:43318/Mozi.a", "http://223.123.38.127:60991/Mozi.m", "http://103.141.5.137:41713/Mozi.a"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that imports a CSV file containing user credentials for reporting purposes.
Filter/Exclusion: Exclude PowerShell scripts that use Import-Csv or Get-Content with file paths in known internal directories (e.g., C:\Windows\System32\, C:\ProgramData\).
Scenario: A DevOps engineer is deploying a Docker container that includes a base image with known benign binaries, such as tar or gzip, which are flagged by the rule.
Filter/Exclusion: Exclude processes related to Docker image pulls or container builds, especially those involving known safe binaries from trusted registries (e.g., docker pull or docker build).
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to export a database to a .bak file, which may include binary data that matches some of the Mozi IOCs.
Filter/Exclusion: Exclude processes initiated by SSMS or related to SQL Server backup operations, including file paths like C:\Program Files\Microsoft SQL Server\ or .bak file extensions.
Scenario: A system is running a scheduled task to perform log rotation using a tool like logrotate, which may include binary files that match some IOCs.
Filter/Exclusion: Exclude processes with command-line arguments containing logrotate or file paths in the /var/log/ directory on Linux systems.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic, which may include binary data that matches some of the Mozi IOCs.
Filter/Exclusion: Exclude processes with the wireshark executable or related to packet capture, including file paths like /usr/bin/wireshark or network interface