The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for command and control or payload delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromises early in the attack lifecycle.
IOC Summary
Threat: Mozi Total URLs: 13 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.124.175.204:50581/i | online | malware_download | 2026-04-22 |
hxxp://42.228.216.214:41123/i | online | malware_download | 2026-04-22 |
hxxp://39.79.136.154:58951/bin.sh | online | malware_download | 2026-04-22 |
hxxp://182.127.6.252:43592/bin.sh | online | malware_download | 2026-04-22 |
hxxp://123.5.152.174:51080/i | online | malware_download | 2026-04-22 |
hxxp://42.239.110.98:54725/i | online | malware_download | 2026-04-22 |
hxxp://42.231.38.235:56452/i | online | malware_download | 2026-04-22 |
hxxp://219.157.215.220:56289/i | online | malware_download | 2026-04-22 |
hxxp://115.50.109.82:42557/i | online | malware_download | 2026-04-22 |
hxxp://115.55.158.4:53358/bin.sh | online | malware_download | 2026-04-22 |
hxxp://178.238.27.138:57400/i | online | malware_download | 2026-04-22 |
hxxp://117.245.139.161:54495/i | online | malware_download | 2026-04-22 |
hxxp://42.235.102.253:44314/i | online | malware_download | 2026-04-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["42.228.216.214", "219.157.215.220", "39.79.136.154", "178.238.27.138", "182.127.6.252", "115.50.109.82", "42.231.38.235", "115.55.158.4", "42.235.102.253", "117.245.139.161", "42.239.110.98", "123.5.152.174", "182.124.175.204"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.228.216.214", "219.157.215.220", "39.79.136.154", "178.238.27.138", "182.127.6.252", "115.50.109.82", "42.231.38.235", "115.55.158.4", "42.235.102.253", "117.245.139.161", "42.239.110.98", "123.5.152.174", "182.124.175.204"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify link functionality.
Filter/Exclusion: Exclude URLs containing the domain bitly.com or any known URL shortening service domains.
Scenario: A scheduled job runs a daily backup script that uses a Mozi-related URL to download a pre-signed S3 bucket object (e.g., AWS S3).
Filter/Exclusion: Exclude URLs that match the pattern s3.amazonaws.com or any known cloud storage endpoints used by backup tools.
Scenario: A security team member is using a threat intelligence platform (e.g., CrowdStrike Falcon, Microsoft Defender ATP) to query a Mozi-related URL for analysis.
Filter/Exclusion: Exclude URLs that are part of the threat intelligence platform’s internal analysis tools or whitelisted for investigation.
Scenario: A DevOps team is deploying a CI/CD pipeline (e.g., Jenkins, GitLab CI) that uses a Mozi-related URL to fetch a dependency from a private repository.
Filter/Exclusion: Exclude URLs that match the internal repository domain or are associated with CI/CD tooling.
Scenario: An admin is using a log management tool (e.g., Splunk, ELK Stack) to access a Mozi-related URL for configuration or troubleshooting purposes.
Filter/Exclusion: Exclude URLs that are part of the log management tool’s internal API or used for administrative tasks.