The hypothesis is that the detected URLs are associated with the Mozi malware, which is used to deliver payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and networks.
IOC Summary
Threat: Mozi Total URLs: 9 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://116.72.98.65:35286/i | online | malware_download | 2026-04-24 |
hxxp://182.114.194.60:53868/i | online | malware_download | 2026-04-24 |
hxxp://222.142.244.164:39627/bin.sh | online | malware_download | 2026-04-24 |
hxxp://116.72.98.65:35286/bin.sh | online | malware_download | 2026-04-24 |
hxxp://27.207.36.59:46902/i | online | malware_download | 2026-04-24 |
hxxp://123.5.124.22:32938/i | online | malware_download | 2026-04-24 |
hxxp://182.127.81.12:53154/i | online | malware_download | 2026-04-24 |
hxxp://123.5.124.22:32938/bin.sh | online | malware_download | 2026-04-24 |
hxxp://119.183.26.44:32941/i | online | malware_download | 2026-04-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["27.207.36.59", "123.5.124.22", "222.142.244.164", "116.72.98.65", "119.183.26.44", "182.127.81.12", "182.114.194.60"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["27.207.36.59", "123.5.124.22", "222.142.244.164", "116.72.98.65", "119.183.26.44", "182.127.81.12", "182.114.194.60"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching process using a URLhaus-listed URL
Filter/Exclusion: Exclude URLs matching known patching or update servers (e.g., *.patch.microsoft.com, *.updates.redhat.com) or use a custom list of approved update URLs.
Scenario: Scheduled backup job downloading a Mozi-related tool from a trusted internal repository
Filter/Exclusion: Exclude URLs containing backup or snapshot in the path, or filter by source IP from internal backup servers (e.g., 10.0.0.0/8).
Scenario: Admin performing a security scan using a Mozi-related tool for compliance testing
Filter/Exclusion: Exclude URLs containing scan, test, or compliance in the request path, or filter by user agent matching known security tools (e.g., Mozilla/5.0 (compatible; QualysGuard)).
Scenario: Internal development team using a Mozi-based tool for internal testing
Filter/Exclusion: Exclude URLs from internal development domains (e.g., dev.example.com) or filter by user group (e.g., dev-team).
Scenario: Automated log collection tool pulling logs from a Mozi-tagged endpoint for analysis
Filter/Exclusion: Exclude URLs containing logs, logstash, or syslog in the path, or filter by source IP from internal log aggregation systems (e.g., 192.168.1.0/24).