The hypothesis is that the detected URLs are part of a botnet command and control infrastructure used to compromise endpoints and exfiltrate data. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet infections before they lead to widespread network compromise.
IOC Summary
Threat: botnet Total URLs: 5 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://78.38.19.237:34792/Mozi.7 | offline | malware_download | 2026-06-19 |
hxxp://176.106.25.181:20481/i | online | malware_download | 2026-06-19 |
hxxp://221.200.215.156:39671/Mozi.7 | online | malware_download | 2026-06-19 |
hxxp://124.95.18.254:54271/Mozi.a | online | malware_download | 2026-06-19 |
hxxp://42.57.233.228:56771/Mozi.7 | online | malware_download | 2026-06-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: botnet
let malicious_domains = dynamic(["124.95.18.254", "176.106.25.181", "221.200.215.156", "42.57.233.228"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["124.95.18.254", "176.106.25.181", "221.200.215.156", "42.57.233.228"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing known benign URLs from the URLhaus database for validation purposes.
Filter/Exclusion: Exclude URLs that are part of a known URLhaus test set or include a specific tag like urlhaus_test.
Scenario: A scheduled job runs a script to fetch and process malware samples from a secure repository, which includes URLs tagged as botnet by URLhaus.
Filter/Exclusion: Exclude URLs that originate from a whitelisted internal repository or include a domain like internal-malware-repo.example.com.
Scenario: A security analyst is performing a red team exercise and uses a botnet-related URL from URLhaus to simulate a compromised system.
Filter/Exclusion: Exclude URLs that match a regex pattern for red team testing URLs (e.g., redteam-.*\.example\.com).
Scenario: A backup system uses a script to download and store malware samples for analysis, which includes URLs tagged as botnet by URLhaus.
Filter/Exclusion: Exclude URLs that are part of a known malware analysis sandbox environment (e.g., sandbox.example.com or analysis.example.com).
Scenario: A DevOps team runs a CI/CD pipeline that pulls dependencies from a third-party package manager, which occasionally includes URLs flagged by URLhaus as botnet.
Filter/Exclusion: Exclude URLs that match known package manager domains (e.g., npmjs.org, pypi.org) or include a specific query parameter like ?version=latest.