The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for initial compromise and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early in the attack lifecycle.
IOC Summary
Threat: Mozi Total URLs: 10 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.117.109.55:51915/i | online | malware_download | 2026-05-28 |
hxxp://42.230.201.223:39537/i | online | malware_download | 2026-05-28 |
hxxp://182.117.109.55:51915/bin.sh | online | malware_download | 2026-05-28 |
hxxp://42.230.201.223:39537/bin.sh | online | malware_download | 2026-05-28 |
hxxp://125.45.64.29:44423/i | online | malware_download | 2026-05-28 |
hxxp://182.121.41.199:56616/i | online | malware_download | 2026-05-28 |
hxxp://182.121.41.199:56616/bin.sh | online | malware_download | 2026-05-28 |
hxxp://110.36.20.58:49534/i | online | malware_download | 2026-05-28 |
hxxp://115.50.148.116:60110/i | online | malware_download | 2026-05-28 |
hxxp://115.50.148.116:60110/bin.sh | online | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["182.117.109.55", "42.230.201.223", "125.45.64.29", "115.50.148.116", "110.36.20.58", "182.121.41.199"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["182.117.109.55", "42.230.201.223", "125.45.64.29", "115.50.148.116", "110.36.20.58", "182.121.41.199"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by generating and accessing short URLs for internal documentation.
Filter/Exclusion: Exclude URLs that match internal URL shortener domains (e.g., internal.short.url, doc-shortener.example.com).
Scenario: A scheduled job runs a daily script that fetches and processes data from a known secure API endpoint, which happens to have a URL structure similar to Mozi URLs.
Filter/Exclusion: Exclude URLs that match the API endpoint domain (e.g., api.example.com or data-service.example.org).
Scenario: A security analyst is using a threat intelligence platform (e.g., CrowdStrike Falcon, Microsoft Defender) to manually test a new indicator of compromise, which includes a URL that matches a Mozi pattern.
Filter/Exclusion: Exclude URLs that are flagged as “manual testing” in the threat intelligence platform or have a specific metadata tag (e.g., test_url, tio).
Scenario: A backup process uses a script to download and verify backups from a remote server, which includes URLs that resemble malicious patterns due to the format of the backup URLs.
Filter/Exclusion: Exclude URLs that contain backup-related paths (e.g., /backup/, /restore/, backup-service.example.com).
Scenario: A DevOps team is using a CI/CD pipeline to deploy code, and the deployment script includes a URL to a private artifact repository that matches the Mozi URL pattern.
Filter/Exclusion: Exclude URLs that are part of the CI/CD pipeline (e.g., ci.example.com, artifactory.example.com, or URLs containing /ci/, /deploy/).