The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for command and control or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromises early in the attack lifecycle.
IOC Summary
Threat: Mozi Total URLs: 14 Active URLs: 14
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://61.53.95.140:53758/i | online | malware_download | 2026-04-23 |
hxxp://112.240.175.223:44416/bin.sh | online | malware_download | 2026-04-23 |
hxxp://151.41.153.146:36256/i | online | malware_download | 2026-04-23 |
hxxp://219.154.28.83:42585/bin.sh | online | malware_download | 2026-04-23 |
hxxp://151.41.153.146:36256/bin.sh | online | malware_download | 2026-04-23 |
hxxp://182.112.0.25:39995/i | online | malware_download | 2026-04-23 |
hxxp://210.10.133.136:33777/i | online | malware_download | 2026-04-23 |
hxxp://182.112.0.25:39995/bin.sh | online | malware_download | 2026-04-23 |
hxxp://220.202.66.241:42546/i | online | malware_download | 2026-04-23 |
hxxp://61.53.95.140:53758/bin.sh | online | malware_download | 2026-04-23 |
hxxp://210.10.133.136:33777/bin.sh | online | malware_download | 2026-04-23 |
hxxp://182.112.224.78:45371/bin.sh | online | malware_download | 2026-04-23 |
hxxp://222.141.82.197:52798/bin.sh | online | malware_download | 2026-04-23 |
hxxp://112.239.103.39:44119/bin.sh | online | malware_download | 2026-04-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["222.141.82.197", "112.239.103.39", "210.10.133.136", "112.240.175.223", "219.154.28.83", "61.53.95.140", "182.112.0.25", "220.202.66.241", "151.41.153.146", "182.112.224.78"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["222.141.82.197", "112.239.103.39", "210.10.133.136", "112.240.175.223", "219.154.28.83", "61.53.95.140", "182.112.0.25", "220.202.66.241", "151.41.153.146", "182.112.224.78"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by accessing a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus domain or any URLs associated with known security testing tools (e.g., urlhaus.org, test-url-shortener.com).
Scenario: A scheduled job runs to fetch and process updates from URLhaus as part of an automated threat intelligence integration.
Filter/Exclusion: Exclude URLs that originate from the urlhaus API endpoint or any known threat intel integration tools (e.g., urlhaus-api.com, threatintel-updater.sh).
Scenario: A user is accessing a legitimate internal documentation portal that includes a link to a URLhaus page for reference.
Filter/Exclusion: Exclude URLs containing the exact string urlhaus or any URLs that match internal documentation domains (e.g., internal-docs.example.com, knowledge-base.example.com).
Scenario: A security analyst is performing a red team exercise and uses a Mozi-related URL as part of a controlled simulation.
Filter/Exclusion: Exclude URLs that match red team tooling identifiers (e.g., redteam-simulator.example.com, mozi-sim-01.example.com) or any URLs with the redteam keyword in the path.
Scenario: A backup or synchronization job is transferring files from a system that previously had a Mozi-related URL in its configuration, now removed.
Filter/Exclusion: Exclude URLs that are part of backup processes or system configuration archives (e.g., backup-logs.tar.gz, config-backup-2024-04-01.xml).