The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for initial compromise and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early in the attack lifecycle.
IOC Summary
Threat: Mozi Total URLs: 9 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://203.99.180.148:37885/i | online | malware_download | 2026-06-09 |
hxxp://125.44.58.115:37144/i | online | malware_download | 2026-06-09 |
hxxp://110.39.255.227:53033/i | online | malware_download | 2026-06-09 |
hxxp://42.231.90.102:46075/bin.sh | online | malware_download | 2026-06-09 |
hxxp://203.99.180.148:37885/bin.sh | online | malware_download | 2026-06-09 |
hxxp://110.39.255.227:53033/bin.sh | online | malware_download | 2026-06-09 |
hxxp://125.44.243.86:56320/i | online | malware_download | 2026-06-09 |
hxxp://182.119.71.137:60755/bin.sh | online | malware_download | 2026-06-09 |
hxxp://125.44.243.86:56320/bin.sh | online | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["42.231.90.102", "125.44.243.86", "110.39.255.227", "203.99.180.148", "182.119.71.137", "125.44.58.115"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.231.90.102", "125.44.243.86", "110.39.255.227", "203.99.180.148", "182.119.71.137", "125.44.58.115"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URLhaus URL used in threat intelligence sharing
Description: A security team manually shares a URLhaus entry with a colleague via email or a shared document.
Filter/Exclusion: Exclude URLs that are manually entered into a ticketing system (e.g., ServiceNow) or shared via email by checking the source IP or email headers.
Scenario: Scheduled job for malware sample analysis
Description: A scheduled job (e.g., using Elastic SIEM or Splunk) automatically downloads malware samples from a trusted repository (e.g., VirusTotal, Hybrid-Analysis) for analysis.
Filter/Exclusion: Exclude URLs that match known analysis platforms by checking the domain or using a whitelisted list of analysis services.
Scenario: Admin task to update threat intelligence feeds
Description: An admin updates the organization’s threat intelligence feed with new URLs from URLhaus as part of routine security operations.
Filter/Exclusion: Exclude URLs that are part of a known threat intelligence feed update by checking the source of the URL or using a timestamp-based filter.
Scenario: User accessing a legitimate Mozi-related resource
Description: A user accesses a legitimate Mozi-related tool or documentation (e.g., a Mozi-based open-source project hosted on GitHub) for research or development.
Filter/Exclusion: Exclude URLs that match known open-source repositories or development tools by checking the domain or using a whitelisted list of legitimate Mozi-related resources.
Scenario: Internal tool for malware sandboxing
Description: An internal security tool (e.g., Cuckoo Sandbox, Joe Sandbox) is used to analyze a Mozi sample by downloading it from a URLhaus entry.
Filter/Exclusion: Exclude URLs that are part of a sandboxing infrastructure by checking the source IP, user agent, or using a whit