The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used to deliver malicious payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromises before they lead to data exfiltration or system control.
IOC Summary
Threat: Mozi Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://203.177.28.149:55113/bin.sh | online | malware_download | 2026-06-08 |
hxxp://112.231.231.221:34181/i | online | malware_download | 2026-06-08 |
hxxp://115.56.109.95:53024/i | online | malware_download | 2026-06-08 |
hxxp://115.56.109.95:53024/bin.sh | online | malware_download | 2026-06-08 |
hxxp://112.248.112.149:48462/i | online | malware_download | 2026-06-08 |
hxxp://115.48.55.57:35922/i | online | malware_download | 2026-06-08 |
hxxp://115.48.55.57:35922/bin.sh | online | malware_download | 2026-06-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["203.177.28.149", "115.48.55.57", "112.231.231.221", "112.248.112.149", "115.56.109.95"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["203.177.28.149", "115.48.55.57", "112.231.231.221", "112.248.112.149", "115.56.109.95"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener service by visiting a few legitimate URLs from the URLhaus list as part of a security validation process.
Filter/Exclusion: Exclude URLs that match known URL shortening services (e.g., bit.ly, tinyurl.com) or filter by user agent containing “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/…” (indicating administrative tools).
Scenario: A scheduled job runs a script that fetches and validates URLs from a security database (e.g., URLhaus) to update internal threat intelligence feeds.
Filter/Exclusion: Exclude traffic originating from known internal IP ranges or filter by source IP matching the internal security team’s management subnet (e.g., 10.0.0.0/8).
Scenario: A developer is using a tool like Burp Suite or Postman to manually test API endpoints that include URLs from URLhaus as part of a penetration testing exercise.
Filter/Exclusion: Exclude traffic with HTTP headers indicating testing tools (e.g., User-Agent: Burp Suite or User-Agent: PostmanRuntime/7.26.8) or filter by request method POST or PUT (which are less common for malicious URL access).
Scenario: A system is running a Windows Update or Group Policy synchronization task that temporarily accesses URLs from a known security database (e.g., Microsoft’s security feeds).
Filter/Exclusion: Exclude traffic to URLs that match known Microsoft or Windows update domains (e.g., *.update.microsoft.com, *.windowsupdate.com) or filter by process name containing wuauclt.exe or gpupdate.exe.
Scenario: