The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used to deliver malicious payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromises before they lead to data exfiltration or system control.
IOC Summary
Threat: Mozi Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.126.116.217:54015/bin.sh | online | malware_download | 2026-05-31 |
hxxp://42.227.136.179:54892/i | online | malware_download | 2026-05-31 |
hxxp://42.227.184.227:41573/i | online | malware_download | 2026-05-31 |
hxxp://42.227.184.227:41573/bin.sh | online | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["42.227.136.179", "42.227.184.227", "182.126.116.217"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.227.136.179", "42.227.184.227", "182.126.116.217"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by visiting a few legitimate URLs from the tool’s dashboard.
Filter/Exclusion: Exclude URLs that originate from known internal tools (e.g., shortener.example.com) or URLs that match a regex pattern for internal testing URLs.
Scenario: A scheduled job runs a daily report generation script that fetches data from a public API endpoint tagged as mozi in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the domain of the public API (e.g., api.example.com) or URLs that are part of a known reporting tool (e.g., report-generator-01).
Scenario: An IT security team is performing a red team exercise and uses a legitimate tool like Metasploit to simulate a phishing attack using a URL that is falsely flagged as Mozi.
Filter/Exclusion: Exclude URLs that are associated with internal security testing tools (e.g., metasploit.local) or URLs that match a regex pattern for red team testing.
Scenario: A user is accessing a legitimate update server for a software tool like Ansible or Puppet, which has a URL structure that resembles Mozi URLs.
Filter/Exclusion: Exclude URLs that match known software update domains (e.g., updates.ansible.com) or URLs that contain a specific update path (e.g., /v1/update).
Scenario: A system is configured to automatically download and install patches from a trusted internal repository, which includes URLs that are mistakenly flagged by the Mozi detection rule.
Filter/Exclusion: Exclude URLs that are part of a known internal patch management system (e.g., patch-repo.internal) or URLs that contain a specific patch identifier (e.g., `patch-2023-10-01