The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used to deliver payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections and exfiltration activities early.
IOC Summary
Threat: Mozi Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.40.11.184:51518/bin.sh | online | malware_download | 2026-06-22 |
hxxp://123.4.192.235:54849/bin.sh | online | malware_download | 2026-06-22 |
hxxp://182.112.43.144:44783/bin.sh | online | malware_download | 2026-06-22 |
hxxp://182.114.250.214:39068/i | online | malware_download | 2026-06-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["125.40.11.184", "182.112.43.144", "123.4.192.235", "182.114.250.214"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["125.40.11.184", "182.112.43.144", "123.4.192.235", "182.114.250.214"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by accessing a known-safe Mozi URL for validation purposes.
Filter/Exclusion: Exclude URLs that match the internal testing domain (test.shortener.example.com) using a regex pattern or a custom IP list.
Scenario: A scheduled job runs a daily script that fetches updates from a trusted internal repository, which includes a Mozi-tagged URL for artifact download.
Filter/Exclusion: Exclude URLs that originate from the internal repository domain (repo.internal.corp) or match a specific URL pattern used for artifact distribution.
Scenario: A user is accessing a phishing simulation link that mimics a Mozi-related URL as part of a security training exercise.
Filter/Exclusion: Exclude URLs that contain the keyword phishing-sim or are hosted on the internal security training platform (training.security.example.com).
Scenario: A DevOps pipeline is deploying a new application and pulls a dependency from a public package registry that includes a Mozi-tagged URL as part of a build process.
Filter/Exclusion: Exclude URLs that match the package registry domain (pkg.example.com) or are part of the CI/CD pipeline’s dependency resolution process.
Scenario: A security analyst is using the yara tool to analyze a suspicious file and manually accesses a Mozi-related URL to gather additional threat intelligence.
Filter/Exclusion: Exclude URLs that are part of the analyst’s internal threat intelligence platform (ti.example.com) or match a specific analyst tool’s known-good URL list.