The hunt hypothesis detects adversaries using Mozi malware distribution URLs to compromise endpoints and exfiltrate data. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential breaches before lateral movement and data theft occur.
IOC Summary
Threat: Mozi Total URLs: 11 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.225.86.106:40362/i | online | malware_download | 2026-05-23 |
hxxp://42.225.86.106:40362/bin.sh | online | malware_download | 2026-05-23 |
hxxp://110.36.26.130:37045/i | online | malware_download | 2026-05-23 |
hxxp://85.108.80.43:51999/bin.sh | offline | malware_download | 2026-05-23 |
hxxp://110.36.1.80:52339/i | online | malware_download | 2026-05-22 |
hxxp://221.14.85.89:42406/i | online | malware_download | 2026-05-22 |
hxxp://125.41.77.7:57251/i | online | malware_download | 2026-05-22 |
hxxp://125.41.6.74:57548/i | online | malware_download | 2026-05-22 |
hxxp://125.41.77.7:57251/bin.sh | online | malware_download | 2026-05-22 |
hxxp://125.41.6.74:57548/bin.sh | online | malware_download | 2026-05-22 |
hxxp://115.55.160.114:49017/i | online | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["115.55.160.114", "42.225.86.106", "110.36.26.130", "221.14.85.89", "125.41.77.7", "125.41.6.74", "110.36.1.80"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.55.160.114", "42.225.86.106", "110.36.26.130", "221.14.85.89", "125.41.77.7", "125.41.6.74", "110.36.1.80"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) used for internal documentation.
Filter/Exclusion: Exclude URLs containing the domain internal-docs.example.com or any URL with the substring test-shortlink.
Scenario: A scheduled job runs a script to fetch updates from a known safe repository (e.g., GitHub Actions) that includes URLs matching the Mozi pattern.
Filter/Exclusion: Exclude URLs containing the domain github.com or any URL that includes the query parameter ?action=fetch.
Scenario: A security tool (e.g., CrowdStrike Falcon) is configured to download and update its own signature database, which includes URLs that match the Mozi pattern.
Filter/Exclusion: Exclude URLs containing the domain falcon.crowdstrike.com or any URL that includes the path /update.
Scenario: A DevOps team uses a CI/CD pipeline (e.g., Jenkins) to deploy code, and the pipeline includes a step that downloads dependencies from a known safe source (e.g., npm registry), which may have URLs that match the Mozi pattern.
Filter/Exclusion: Exclude URLs containing the domain npmjs.org or any URL that includes the path /dist.
Scenario: An IT helpdesk tool (e.g., ServiceNow) sends automated emails with links to internal support portals, which may temporarily match the Mozi URL pattern due to a naming convention.
Filter/Exclusion: Exclude URLs containing the domain support.example.com or any URL that includes the path /ticket.