The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used for command and control communication. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections and exfiltration activities.
IOC Summary
Threat: Mozi Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://222.141.43.192:52642/i | online | malware_download | 2026-05-05 |
hxxp://31.148.198.158:32919/i | online | malware_download | 2026-05-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["222.141.43.192", "31.148.198.158"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["222.141.43.192", "31.148.198.158"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to validate link shortening functionality.
Filter/Exclusion: Exclude URLs containing the domain bit.ly or any known URL shortening service domains.
Scenario: A scheduled job runs a script that downloads a software update from a legitimate internal repository (e.g., Nexus Repository) using a URL that matches the Mozi pattern.
Filter/Exclusion: Exclude URLs that include the substring nexus-repository or match the internal repository IP range.
Scenario: A user is accessing a phishing simulation URL (e.g., from a security training platform like KnowBe4) that is flagged due to its similarity to a Mozi URL.
Filter/Exclusion: Exclude URLs containing the domain knowbe4.com or any known phishing simulation domains.
Scenario: A DevOps pipeline uses a CI/CD tool (e.g., Jenkins) to fetch dependencies from a public artifact repository (e.g., JFrog Artifactory) using a URL that matches the Mozi pattern.
Filter/Exclusion: Exclude URLs that include the substring artifactory or match the CI/CD tool’s internal IP range.
Scenario: A system is running a legitimate security tool (e.g., CrowdStrike Falcon) that periodically checks for updates, and the update URL is flagged as Mozi.
Filter/Exclusion: Exclude URLs containing the substring crowdstrike.com or any known vendor update domains.