The detection identifies potential Mozi malware deployment through suspicious URLs linked to known malicious infrastructure, indicating possible initial compromise and lateral movement. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage adversarial activity in their Azure Sentinel environment.
IOC Summary
Threat: Mozi Total URLs: 5 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://221.13.235.209:57163/bin.sh | online | malware_download | 2026-06-07 |
hxxp://221.13.235.209:57163/i | online | malware_download | 2026-06-07 |
hxxp://110.37.74.45:56586/i | online | malware_download | 2026-06-07 |
hxxp://110.37.30.28:36402/i | online | malware_download | 2026-06-07 |
hxxp://182.113.40.38:46519/i | online | malware_download | 2026-06-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["110.37.30.28", "221.13.235.209", "182.113.40.38", "110.37.74.45"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.30.28", "221.13.235.209", "182.113.40.38", "110.37.74.45"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Mozi-like URLs for internal asset discovery
Description: A security team uses a tool like nmap or PowerShell to scan internal assets and generates URLs for internal services, which may resemble Mozi URLs.
Filter/Exclusion: Exclude URLs that match internal IP ranges or are generated by known asset discovery tools (e.g., nmap, PowerShell scripts with Invoke-WebRequest).
Scenario: Admin task using Mozi-like URLs for internal service testing
Description: An administrator uses a tool like curl or wget to test a legitimate internal service (e.g., a staging environment or API endpoint) that uses a URL pattern similar to Mozi domains.
Filter/Exclusion: Exclude URLs that resolve to internal DNS names or are associated with known internal testing tools (e.g., curl, wget, or Postman).
Scenario: Phishing simulation using Mozi-like URLs for training
Description: A security team runs a phishing simulation using a tool like Mimecast or Proofpoint, which includes URLs that mimic Mozi domains to test employee awareness.
Filter/Exclusion: Exclude URLs that are part of a known phishing simulation tool or are flagged by the organization’s internal phishing training system.
Scenario: Legitimate software update using Mozi-like URLs
Description: A system administrator uses a tool like Chocolatey or WSUS to deploy updates, and the update server uses a URL that resembles a Mozi domain.
Filter/Exclusion: Exclude URLs that are associated with known software update tools or are part of the organization’s internal update infrastructure.
Scenario: False positive from a third-party service using Mozi-like domain names
Description: A legitimate third-party service (e.g