The hypothesis is that the detected URLs are associated with the Mozi malware, which is used for command and control communication, indicating potential compromise of endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate initial access and command and control activities by advanced persistent threats.
IOC Summary
Threat: Mozi Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://222.140.161.65:41561/i | online | malware_download | 2026-05-26 |
hxxp://110.37.14.156:38154/i | online | malware_download | 2026-05-26 |
hxxp://222.140.161.65:41561/bin.sh | online | malware_download | 2026-05-26 |
hxxp://115.51.3.21:52080/i | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["115.51.3.21", "110.37.14.156", "222.140.161.65"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.51.3.21", "110.37.14.156", "222.140.161.65"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching process using a URLhaus-listed URL
Filter/Exclusion: Exclude URLs associated with known system update mechanisms (e.g., windowsupdate.microsoft.com, updates.microsoft.com) or use a filter like:
(url contains "windowsupdate.microsoft.com" or url contains "updates.microsoft.com")Scenario: Scheduled backup job downloading a legitimate backup tool from a trusted source
Filter/Exclusion: Exclude URLs that match known backup tool distribution sites (e.g., backupify.com, vastbackup.com) or use a filter like:
(url contains "backupify.com" or url contains "vastbackup.com")Scenario: Admin task involving downloading a security tool or endpoint protection software
Filter/Exclusion: Exclude URLs associated with known security vendors (e.g., endpoint.microsoft.com, kaspersky.com, mcafee.com) or use a filter like:
(url contains "microsoft.com" or url contains "kaspersky.com")Scenario: Internal development team using a test URL from a staging environment
Filter/Exclusion: Exclude URLs that contain internal domain names (e.g., staging.example.com, dev.example.com) or use a filter like:
(url contains "example.com" or url contains "staging.example.com")Scenario: Automated log collection or monitoring tool pulling logs from a central server
Filter/Exclusion: Exclude URLs associated with log collection services (e.g., logz.io, datadog.com, splunk.com) or use a filter like:
(url contains "logz.io" or url contains "datadog.com