The detection identifies potential Mirai botnet command-and-control (C2) communication attempts through known malicious URLs, indicating possible compromise of endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Mirai-related botnet activity before it leads to widespread network compromise.
IOC Summary
Threat: mirai Total URLs: 13 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.48.151.33:37773/Mozi.m | offline | malware_download | 2026-06-11 |
hxxp://156.226.92.178/telnet.sh | offline | malware_download | 2026-06-11 |
hxxp://110.36.72.243:48852/Mozi.a | offline | malware_download | 2026-06-11 |
hxxp://61.52.156.16:51868/i | offline | malware_download | 2026-06-11 |
hxxp://142.93.165.186/jklarm5 | online | malware_download | 2026-06-11 |
hxxp://142.93.165.186/jklmips | online | malware_download | 2026-06-11 |
hxxp://142.93.165.186/jklspc | online | malware_download | 2026-06-11 |
hxxp://142.93.165.186/jklsh4 | online | malware_download | 2026-06-11 |
hxxp://142.93.165.186/jklx86 | online | malware_download | 2026-06-11 |
hxxp://142.93.165.186/jklm68k | online | malware_download | 2026-06-11 |
hxxp://142.93.165.186/curl.sh | online | malware_download | 2026-06-11 |
hxxp://142.93.165.186/jklmpsl | online | malware_download | 2026-06-11 |
hxxp://142.93.165.186/wget.sh | online | malware_download | 2026-06-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["142.93.165.186"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["142.93.165.186"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job Downloads Mirai-Related Files
Description: A scheduled job runs nightly to download and install system updates, which includes a legitimate file with a name similar to Mirai malware.
Filter/Exclusion: Exclude URLs that match known system update domains (e.g., *.update.microsoft.com, *.download.nvidia.com) or use a regex to exclude URLs containing update, patch, or install.
Scenario: Admin Task to Download Mirai Research Artifact for Analysis
Description: A security analyst manually downloads a Mirai-related research file from a trusted source (e.g., VirusTotal, AlienVault OTX) for analysis.
Filter/Exclusion: Exclude URLs containing research, analysis, or sample and filter by domains like otx.alienvault.com or virus.total.
Scenario: Legitimate Log Management Tool Uses Mirai-Tagged URL for Configuration
Description: A log management tool (e.g., Splunk, ELK Stack) uses a URL tagged as Mirai for configuration purposes, such as pulling a predefined rule set.
Filter/Exclusion: Exclude URLs that match the known log management tool domains (e.g., *.splunk.com, *.elasticsearch.com) or filter by query parameters like ?config=true.
Scenario: Automated Backup Job Uses Mirai-Tagged URL for Script Repository
Description: An automated backup process pulls scripts from a shared repository (e.g., GitHub, GitLab) that is mistakenly tagged with Mirai in the URLhaus database.
Filter/Exclusion: Exclude URLs from known code repositories (e.g., *.github.com, *.gitlab.com) or filter by query parameters like ?action=download.
**Scenario: Internal DevOps Toolchain Uses Mirai-Tag