The hypothesis is that the detected URLs are associated with the Mozi malware, which is used to deliver malicious payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromises before they lead to data exfiltration or system control.
IOC Summary
Threat: Mozi Total URLs: 9 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://120.61.240.186:56988/bin.sh | online | malware_download | 2026-03-19 |
hxxp://117.206.66.23:33386/bin.sh | online | malware_download | 2026-03-19 |
hxxp://103.61.243.11:58596/i | online | malware_download | 2026-03-19 |
hxxp://27.32.255.147:38620/i | online | malware_download | 2026-03-19 |
hxxp://103.61.243.11:58596/bin.sh | online | malware_download | 2026-03-19 |
hxxp://27.32.255.147:38620/bin.sh | online | malware_download | 2026-03-19 |
hxxp://117.241.178.184:44199/i | offline | malware_download | 2026-03-19 |
hxxp://117.241.178.184:44199/bin.sh | offline | malware_download | 2026-03-19 |
hxxp://120.56.7.130:38674/i | offline | malware_download | 2026-03-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["103.61.243.11", "27.32.255.147", "117.206.66.23", "120.61.240.186"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["103.61.243.11", "27.32.255.147", "117.206.66.23", "120.61.240.186"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by accessing a Mozi-related URL for validation purposes.
Filter/Exclusion: Exclude URLs containing the string test-url-shortener or internal-validation.
Scenario: A scheduled job runs a script that fetches updates from a known security feed, which includes a Mozi-related URL as part of a benign update check.
Filter/Exclusion: Exclude URLs that match the domain security-feed.example.com or contain the query parameter ?update-check=true.
Scenario: A user is accessing a legitimate phishing training page that mimics a Mozi-related URL to educate employees on social engineering tactics.
Filter/Exclusion: Exclude URLs containing the substring phishing-training or security-awareness.
Scenario: A DevOps team is using a CI/CD pipeline to deploy a security tool, and the tool’s documentation includes a Mozi-related URL for reference.
Filter/Exclusion: Exclude URLs that match the domain ci-cd-tool.example.com or contain the path /docs/security-tools.
Scenario: A system is running a legitimate security audit tool that uses a Mozi-related URL as part of its vulnerability scanning process.
Filter/Exclusion: Exclude URLs that match the domain vulnerability-scanner.example.com or contain the query parameter ?scan-id=12345.