The hunt hypothesis detects adversaries using Mozi malware distribution URLs to compromise endpoints and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread within the network.
IOC Summary
Threat: Mozi Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.63.243.114:34694/i | online | malware_download | 2026-06-20 |
hxxp://222.138.205.74:45465/i | online | malware_download | 2026-06-20 |
hxxp://222.138.205.74:45465/bin.sh | online | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["115.63.243.114", "222.138.205.74"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.63.243.114", "222.138.205.74"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify link functionality.
Filter/Exclusion: Exclude URLs containing the domain bitly.com or any known URL shortening service domains.
Scenario: A scheduled job runs a script to fetch updates from a legitimate threat intelligence feed (e.g., URLhaus) using a script named fetch_urlhaus.sh.
Filter/Exclusion: Exclude URLs that match the exact path /fetch_urlhaus.sh or any known internal threat intel feed endpoints.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins) to deploy code and includes a test URL for internal documentation.
Filter/Exclusion: Exclude URLs that contain the substring ci-cd.example.com or any internal development domain.
Scenario: A user is accessing a legitimate phishing simulation tool (e.g., KnowBe4) that uses Mozi URLs for training purposes.
Filter/Exclusion: Exclude URLs that match the domain knowbe4.com or any known phishing simulation tool domains.
Scenario: A system is running a scheduled backup job that uses a remote script (e.g., backup_script.sh) hosted on a secure internal server.
Filter/Exclusion: Exclude URLs that contain the path /backup_script.sh or any internal script hosting endpoints.