The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used for command and control communication and data exfiltration. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and networks.
IOC Summary
Threat: Mozi Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.39.230.3:47945/i | online | malware_download | 2026-06-01 |
hxxp://123.14.82.243:55162/i | online | malware_download | 2026-06-01 |
hxxp://115.55.61.147:47382/i | online | malware_download | 2026-06-01 |
hxxp://115.55.61.147:47382/bin.sh | online | malware_download | 2026-06-01 |
hxxp://115.58.84.209:58891/i | online | malware_download | 2026-06-01 |
hxxp://115.58.84.209:58891/bin.sh | online | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["115.58.84.209", "115.55.61.147", "123.14.82.243", "110.39.230.3"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.58.84.209", "115.55.61.147", "123.14.82.243", "110.39.230.3"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by accessing a few legitimate URLs from the URLhaus list for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus.com domain or any URLs associated with known URL shortening services like bit.ly, tinyurl.com, or ow.ly.
Scenario: A scheduled job runs nightly to fetch and process threat intelligence feeds, including URLs from URLhaus, which are then stored in a database for analysis.
Filter/Exclusion: Exclude URLs that are part of a known threat intelligence ingestion process, such as those matching the threatintel.example.com domain or any URLs that include the query parameter ?source=urlhaus.
Scenario: A security analyst is using the OSSEC HIDS to monitor system logs and manually checks URLs from URLhaus as part of a manual investigation.
Filter/Exclusion: Exclude URLs that are part of OSSEC’s own rule testing or that appear in the ossec.log file with a specific log tag like ossec:rule-test.
Scenario: A PowerShell script is used to automate the download of malware samples from a local repository, and one of the sample URLs is mistakenly tagged with the Mozi label.
Filter/Exclusion: Exclude URLs that are part of an internal malware repository (e.g., internal-malware-repo.example.com) or that contain the query parameter ?type=sample.
Scenario: A Windows Task Scheduler job is configured to run a script that fetches and processes URLs from URLhaus for signature updates, and the script temporarily includes Mozi URLs in its test environment.
Filter/Exclusion: Exclude URLs that are part of the signature-update process or that contain the path /signature-testing/ in their URL.