URLhaus: mirai Malicious URLs

Hunt Hypothesis

The detection identifies potential Mirai botnet command-and-control (C2) communication through malicious URLs hosted on URLhaus, indicating compromised IoT devices are being used to execute large-scale DDoS attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate botnet activity before it leads to widespread network disruption.

IOC Summary

Threat: mirai Total URLs: 2 Active URLs: 2

URL	Status	Threat	Date Added
`hxxp://105.184.14.190:47741/bin.sh`	online	malware_download	2026-04-19
`hxxp://58.50.200.133:52069/i`	online	malware_download	2026-04-19

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["105.184.14.190", "58.50.200.133"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["105.184.14.190", "58.50.200.133"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator is manually testing a Mirai-based exploit detection tool during a security assessment.
Filter/Exclusion: process.name != "exploit-test-tool" or process.parent.name != "security-assessment-tool"
Scenario: A scheduled job runs a network scan using Nmap to identify open ports on internal devices for vulnerability assessment.
Filter/Exclusion: process.name != "nmap" or process.parent.name != "vulnerability-scan-scheduler"
Scenario: A DevOps team is deploying a containerized application that includes a legitimate Mirai-related library for network monitoring.
Filter/Exclusion: process.name != "container-monitoring-agent" or process.parent.name != "docker"
Scenario: A security analyst is using a sandbox environment to analyze a suspicious URL linked to Mirai, as part of an incident response.
Filter/Exclusion: process.name != "sandbox-analysis-tool" or process.parent.name != "incident-response-platform"
Scenario: A backup job is executing a script that temporarily connects to an external URL to fetch a configuration file from a trusted source.
Filter/Exclusion: process.name != "backup-script" or process.parent.name != "backup-scheduler"