The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used for command and control communication. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and data exfiltration.
IOC Summary
Threat: Mozi Total URLs: 9 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.41.77.7:57251/bin.sh | online | malware_download | 2026-05-22 |
hxxp://125.41.6.74:57548/bin.sh | online | malware_download | 2026-05-22 |
hxxp://115.55.160.114:49017/i | online | malware_download | 2026-05-22 |
hxxp://115.55.160.114:49017/bin.sh | online | malware_download | 2026-05-22 |
hxxp://98.252.87.232:44084/bin.sh | online | malware_download | 2026-05-22 |
hxxp://61.53.80.179:55833/i | online | malware_download | 2026-05-22 |
hxxp://110.39.238.29:54764/i | online | malware_download | 2026-05-22 |
hxxp://61.53.80.179:55833/bin.sh | online | malware_download | 2026-05-22 |
hxxp://110.39.238.29:54764/bin.sh | online | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["98.252.87.232", "125.41.77.7", "110.39.238.29", "115.55.160.114", "125.41.6.74", "61.53.80.179"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["98.252.87.232", "125.41.77.7", "110.39.238.29", "115.55.160.114", "125.41.6.74", "61.53.80.179"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching job that downloads a Mozi-related URL from a trusted source (e.g., Microsoft Update or a known security vendor).
Filter/Exclusion: Check the source IP or domain against a whitelist of trusted update servers (e.g., update.microsoft.com, security.microsoft.com).
Scenario: A scheduled job for endpoint protection software (e.g., CrowdStrike Falcon, SentinelOne) that performs a network scan or signature update, which may include URLs tagged as Mozi.
Filter/Exclusion: Filter by process name or parent process (e.g., falcon.exe, sentinelone.exe) or use a whitelist of known security tool URLs.
Scenario: A system administrator manually testing a security tool (e.g., CrowdStrike, Microsoft Defender) by accessing a test URL that is falsely flagged as Mozi.
Filter/Exclusion: Exclude URLs that match known test or staging environments (e.g., test.crowdstrike.com, secure.microsoft.com/test).
Scenario: A legitimate administrative task involving the use of a remote management tool (e.g., Microsoft Intune, SCCM) that accesses a URL associated with Mozi during a policy distribution or configuration update.
Filter/Exclusion: Exclude URLs that originate from known enterprise management domains (e.g., intune.microsoft.com, sccm.contoso.com).
Scenario: A false positive from a third-party threat intelligence feed (e.g., URLhaus) that incorrectly tags a legitimate URL as Mozi during a security tool’s integration or import process.
Filter/Exclusion: Exclude URLs that are present in a curated list of known false positives or use a custom threat intelligence list with exclusion rules.