The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used for command and control communication. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and data exfiltration.
IOC Summary
Threat: Mozi Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.121.115.226:37413/i | online | malware_download | 2026-06-05 |
hxxp://42.231.182.162:57397/bin.sh | online | malware_download | 2026-06-05 |
hxxp://39.74.81.185:47990/i | online | malware_download | 2026-06-05 |
hxxp://112.248.101.161:37345/bin.sh | online | malware_download | 2026-06-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["182.121.115.226", "39.74.81.185", "42.231.182.162", "112.248.101.161"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["182.121.115.226", "39.74.81.185", "42.231.182.162", "112.248.101.161"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by accessing a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus.org domain or any URL containing the substring "urlhaus" in the request.
Scenario: A scheduled job runs to fetch and process benign URLs from a trusted internal repository for testing purposes.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or are tagged with a specific internal testing label in the URL metadata.
Scenario: A user is accessing a legitimate phishing training page hosted on a URLhaus test environment to simulate phishing attacks.
Filter/Exclusion: Exclude URLs that are tagged with a “training” or “phishing_sim” label in the URL metadata or are hosted on a specific internal training server.
Scenario: A security tool like OSSEC or Snort is configured to periodically fetch and analyze URLs from URLhaus as part of its threat intelligence integration.
Filter/Exclusion: Exclude URLs that are part of a known integration feed or are tagged with a “feed” or “integration” label in the URL metadata.
Scenario: A DevOps team is deploying a new CI/CD pipeline and is accessing a URL from URLhaus to verify the integrity of a package or artifact.
Filter/Exclusion: Exclude URLs that are part of a CI/CD tool like Jenkins, GitLab CI, or GitHub Actions, or are tagged with a “CI” or “artifact” label.