The hunt hypothesis detects adversaries using Mozi malware distribution URLs to compromise endpoints and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.
IOC Summary
Threat: Mozi Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://78.167.39.24:57766/bin.sh | online | malware_download | 2026-06-26 |
hxxp://39.73.206.102:54460/i | online | malware_download | 2026-06-26 |
hxxp://219.155.201.202:58944/i | online | malware_download | 2026-06-26 |
hxxp://39.73.206.102:54460/bin.sh | online | malware_download | 2026-06-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["78.167.39.24", "219.155.201.202", "39.73.206.102"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["78.167.39.24", "219.155.201.202", "39.73.206.102"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify link validity.
Filter/Exclusion: Exclude URLs containing the domain bitly.com or any known URL shortening service domains.
Scenario: A scheduled job runs a script to fetch updates from a trusted internal repository (e.g., GitLab CI/CD pipeline) using a URL that matches the Mozi pattern.
Filter/Exclusion: Exclude URLs that match the internal repository domain (e.g., gitlab.example.com) or use a whitelisted URL pattern.
Scenario: A security team member is using a threat intelligence tool (e.g., CrowdStrike Falcon, Microsoft Defender ATP) to manually test a URL for malware analysis.
Filter/Exclusion: Exclude URLs that are part of the threat intelligence tool’s sandboxing environment or are flagged as safe by the tool’s internal reputation system.
Scenario: A DevOps team is deploying a configuration management tool (e.g., Ansible, Puppet) that uses a URL to download a playbook or script from a public repository (e.g., GitHub).
Filter/Exclusion: Exclude URLs that originate from known public repositories (e.g., github.com) or are part of the CI/CD pipeline’s artifact download process.
Scenario: A user is accessing a legitimate enterprise URL that was previously flagged by URLhaus due to a historical association with malicious activity.
Filter/Exclusion: Exclude URLs that are part of the enterprise’s internal whitelist or have been reclassified as safe by the security team.