The hunt hypothesis detects potential Mozi malware activity through suspicious URLs linked to known malicious domains, indicating possible phishing or compromise vectors used for initial access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage espionage campaigns before they establish persistent access.
IOC Summary
Threat: Mozi Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.36.80.162:52499/bin.sh | online | malware_download | 2026-04-21 |
hxxp://115.63.13.9:40062/i | online | malware_download | 2026-04-21 |
hxxp://221.14.207.105:42251/i | online | malware_download | 2026-04-21 |
hxxp://221.14.207.105:42251/bin.sh | online | malware_download | 2026-04-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["115.63.13.9", "221.14.207.105", "110.36.80.162"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.63.13.9", "221.14.207.105", "110.36.80.162"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using a Mozi domain for internal service discovery
Description: A scheduled job in a monitoring tool like Prometheus or Nagios is configured to ping a domain listed in URLhaus as part of a service discovery process.
Filter/Exclusion: Exclude traffic originating from known monitoring tools or system services (e.g., systemd, crontab, or jenkins) and filter by known internal service discovery domains.
Scenario: Admin accessing a Mozi domain for threat intelligence lookup
Description: A security analyst uses a tool like ThreatIntel or AlienVault OTX to look up a domain listed in URLhaus as part of a threat intelligence investigation.
Filter/Exclusion: Exclude traffic from user agents associated with security tools or from IP addresses in the SOC team’s internal network.
Scenario: Legitimate outbound API calls to a Mozi domain for cloud service integration
Description: A cloud service like AWS CloudFormation or Azure DevOps is configured to communicate with a domain that is mistakenly listed in URLhaus due to a misconfiguration or false positive.
Filter/Exclusion: Exclude traffic from cloud service APIs or from known cloud provider IP ranges (e.g., AWS, Azure, GCP).
Scenario: Internal DNS query to a Mozi domain for domain validation
Description: A domain validation tool like DNSCheck or DNSViz is used to verify domain ownership, and the domain happens to be listed in URLhaus.
Filter/Exclusion: Exclude DNS queries from domain validation tools or from internal DNS servers (e.g., nslookup, dig, or dnsmasq).
Scenario: Legitimate software update check to a Mozi domain
Description: A software update