The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for initial compromise and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early in the attack lifecycle.
IOC Summary
Threat: Mozi Total URLs: 5 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://222.138.135.208:60578/bin.sh | online | malware_download | 2026-06-19 |
hxxp://125.41.228.41:46151/i | online | malware_download | 2026-06-19 |
hxxp://115.56.150.110:44124/i | online | malware_download | 2026-06-19 |
hxxp://42.230.230.208:38956/i | online | malware_download | 2026-06-19 |
hxxp://110.37.111.110:38039/i | online | malware_download | 2026-06-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["222.138.135.208", "42.230.230.208", "110.37.111.110", "115.56.150.110", "125.41.228.41"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["222.138.135.208", "42.230.230.208", "110.37.111.110", "115.56.150.110", "125.41.228.41"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing short URLs for internal documentation.
Filter/Exclusion: Exclude URLs that match internal URL shortening services (e.g., short.url, internal.link, doc.short).
Scenario: A scheduled job runs a script to fetch updates from a public threat intelligence feed, which includes URLs tagged as Mozi.
Filter/Exclusion: Exclude URLs that originate from known threat intelligence feeds (e.g., urlhaus.org, threatintel.example.com).
Scenario: A developer is using a CI/CD pipeline to test a new application that dynamically generates URLs for API endpoints during integration testing.
Filter/Exclusion: Exclude URLs that match CI/CD tooling domains (e.g., ci.example.com, dev.example.com, pipeline.example.com).
Scenario: An IT support team member is accessing a legitimate support portal URL that is mistakenly tagged as Mozi in the URLhaus database.
Filter/Exclusion: Exclude URLs that match known support or helpdesk domains (e.g., support.example.com, helpdesk.example.com).
Scenario: A user is accessing a legitimate phishing training page that mimics a malicious URL format used by Mozi.
Filter/Exclusion: Exclude URLs that match phishing training domains (e.g., phishingtraining.example.com, safeurl.example.com).