The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for initial compromise and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections and lateral movement in their environment.
IOC Summary
Threat: Mozi Total URLs: 5 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://37.52.190.75:37850/i | online | malware_download | 2026-04-20 |
hxxp://37.52.190.75:37850/bin.sh | online | malware_download | 2026-04-20 |
hxxp://42.229.217.114:41284/i | online | malware_download | 2026-04-20 |
hxxp://42.229.217.114:41284/bin.sh | online | malware_download | 2026-04-20 |
hxxp://42.230.17.43:37422/bin.sh | online | malware_download | 2026-04-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["42.229.217.114", "42.230.17.43", "37.52.190.75"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.229.217.114", "42.230.17.43", "37.52.190.75"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing a few legitimate short URLs for internal documentation.
Filter/Exclusion: Exclude URLs that match the domain of the internal URL shortening service (e.g., internal-short.url).
Scenario: A scheduled job runs a script that fetches and processes data from a known malicious URLhaus entry as part of a security testing exercise.
Filter/Exclusion: Exclude URLs that are part of a predefined list of test URLs used in security training or penetration testing.
Scenario: A user is accessing a legitimate Mozi-related support page hosted on a secure internal network, which is mistakenly flagged due to a shared URL pattern.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or are associated with internal security tools (e.g., 10.0.0.0/8 or 192.168.0.0/16).
Scenario: A security tool like OSSEC or Splunk is configured to periodically check for updates from a known malicious URLhaus feed, which is then accessed by the system.
Filter/Exclusion: Exclude URLs that are part of the known security tool update feeds (e.g., urlhaus.abuse.ch or urlhaus.org).
Scenario: A DevOps team is deploying a new application that includes a legitimate Mozi-based component, and the deployment process involves accessing a Mozi-related URL for configuration.
Filter/Exclusion: Exclude URLs that are part of the CI/CD pipeline or associated with known deployment tools (e.g., Jenkins, GitHub Actions, or Ansible scripts).