The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for initial compromise and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early in the attack lifecycle.
IOC Summary
Threat: Mozi Total URLs: 9 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.121.8.183:46455/i | online | malware_download | 2026-05-27 |
hxxp://27.207.187.85:60296/i | online | malware_download | 2026-05-27 |
hxxp://27.207.187.85:60296/bin.sh | online | malware_download | 2026-05-27 |
hxxp://110.36.23.52:49896/i | online | malware_download | 2026-05-27 |
hxxp://110.36.23.52:49896/bin.sh | online | malware_download | 2026-05-27 |
hxxp://61.52.51.73:50297/i | online | malware_download | 2026-05-27 |
hxxp://182.112.6.164:41014/i | online | malware_download | 2026-05-27 |
hxxp://182.121.227.161:60090/i | online | malware_download | 2026-05-27 |
hxxp://182.121.227.161:60090/bin.sh | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["61.52.51.73", "110.36.23.52", "182.121.227.161", "27.207.187.85", "182.121.8.183", "182.112.6.164"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["61.52.51.73", "110.36.23.52", "182.121.227.161", "27.207.187.85", "182.121.8.183", "182.112.6.164"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a URLhaus-listed URL as part of a known secure update process.
Filter/Exclusion: Exclude URLs associated with known update mechanisms (e.g., windowsupdate.microsoft.com, updates.microsoft.com) or use a filter like:
(url contains "windowsupdate.microsoft.com" or url contains "updates.microsoft.com")Scenario: Admin Task for Patch Management
Description: An administrator manually executes a patch management task that includes a URL from the URLhaus list as part of a trusted patch distribution process.
Filter/Exclusion: Exclude URLs that match known patch management domains (e.g., patchmanagement.example.com) or use a filter like:
(url contains "patchmanagement.example.com" or url contains "internal-patch-server")Scenario: Internal Red Team Exercise
Description: A red team exercise includes a simulated attack using a Mozi-related URL as part of a controlled security test.
Filter/Exclusion: Exclude URLs that match internal red team testing domains (e.g., redteam.example.com) or use a filter like:
(url contains "redteam.example.com" or url contains "test-attack-simulator")Scenario: Cloud Backup Service Sync
Description: A cloud backup service syncs data and temporarily uses a Mozi-related URL for a known secure backup endpoint.
Filter/Exclusion: Exclude URLs that match known cloud backup services (e.g., backup.example.com, cloud-backup-service.com) or use a filter like:
(url contains "backup.example.com" or url contains "cloud-backup-service.com")