The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used to deliver payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections and exfiltration activities early.
IOC Summary
Threat: Mozi Total URLs: 8 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.36.24.140:35009/i | online | malware_download | 2026-04-19 |
hxxp://112.248.185.196:54532/bin.sh | online | malware_download | 2026-04-19 |
hxxp://42.225.68.198:35382/bin.sh | online | malware_download | 2026-04-19 |
hxxp://123.7.220.126:39624/bin.sh | online | malware_download | 2026-04-19 |
hxxp://110.37.103.93:40049/i | online | malware_download | 2026-04-19 |
hxxp://119.162.75.33:46969/i | online | malware_download | 2026-04-19 |
hxxp://42.224.100.97:35721/bin.sh | online | malware_download | 2026-04-19 |
hxxp://222.134.162.141:50727/i | online | malware_download | 2026-04-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["123.7.220.126", "110.36.24.140", "42.225.68.198", "119.162.75.33", "222.134.162.141", "112.248.185.196", "110.37.103.93", "42.224.100.97"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["123.7.220.126", "110.36.24.140", "42.225.68.198", "119.162.75.33", "222.134.162.141", "112.248.185.196", "110.37.103.93", "42.224.100.97"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by pasting a Mozi-related URL into a test environment for validation.
Filter/Exclusion: Exclude URLs that match the regex pattern for known URL shortening services (e.g., bit.ly, tinyurl.com, short.url).
Scenario: A scheduled job runs a script that fetches and processes URLs from a public threat intelligence feed, including Mozi-related URLs for analysis.
Filter/Exclusion: Exclude URLs that originate from known threat intelligence platforms (e.g., urlhaus.org, virusbulletin.com, malwarebytes.com).
Scenario: A security team is conducting a red team exercise and uses a Mozi-related URL as part of a simulated phishing campaign to test user response.
Filter/Exclusion: Exclude URLs that are associated with internal red team infrastructure (e.g., redteam.example.com, phishing-test.example.net).
Scenario: A backup or sync job is configured to download files from a remote server, and one of the URLs is flagged as Mozi due to a misconfigured or outdated file source.
Filter/Exclusion: Exclude URLs that are part of known backup or sync tool workflows (e.g., rsync.example.com, backup.example.org, syncserver.example.net).
Scenario: A developer is using a third-party API that includes Mozi-related URLs for legitimate threat intelligence purposes, such as integrating with a security platform.
Filter/Exclusion: Exclude URLs that are part of known API integrations (e.g., api.threatintelligence.example.com, securityplatform.example.org).