URLhaus: Mozi Malicious URLs

Hunt Hypothesis

The detection identifies potential C2 communication from Mozi malware, which is used to exfiltrate data and deploy additional payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.

IOC Summary

Threat: Mozi Total URLs: 17 Active URLs: 17

URL	Status	Threat	Date Added
`hxxp://123.134.57.165:36781/i`	online	malware_download	2026-04-25
`hxxp://123.134.57.165:36781/bin.sh`	online	malware_download	2026-04-25
`hxxp://182.127.128.162:46639/i`	online	malware_download	2026-04-25
`hxxp://160.30.103.84:49403/i`	online	malware_download	2026-04-25
`hxxp://160.30.103.84:49403/bin.sh`	online	malware_download	2026-04-25
`hxxp://42.224.172.154:47368/bin.sh`	online	malware_download	2026-04-25
`hxxp://42.224.172.154:47368/i`	online	malware_download	2026-04-25
`hxxp://115.51.20.70:59383/i`	online	malware_download	2026-04-25
`hxxp://115.51.20.70:59383/bin.sh`	online	malware_download	2026-04-25
`hxxp://125.45.48.249:35117/i`	online	malware_download	2026-04-25
`hxxp://110.36.15.18:49147/i`	online	malware_download	2026-04-25
`hxxp://110.36.15.18:49147/bin.sh`	online	malware_download	2026-04-25
`hxxp://182.127.115.109:59924/i`	online	malware_download	2026-04-25
`hxxp://125.45.65.121:37827/i`	online	malware_download	2026-04-25
`hxxp://125.45.65.121:37827/bin.sh`	online	malware_download	2026-04-25
`hxxp://182.127.115.109:59924/bin.sh`	online	malware_download	2026-04-25
`hxxp://42.225.242.7:53385/i`	online	malware_download	2026-04-25

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["42.225.242.7", "123.134.57.165", "125.45.48.249", "110.36.15.18", "125.45.65.121", "182.127.115.109", "160.30.103.84", "182.127.128.162", "115.51.20.70", "42.224.172.154"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.225.242.7", "123.134.57.165", "125.45.48.249", "110.36.15.18", "125.45.65.121", "182.127.115.109", "160.30.103.84", "182.127.128.162", "115.51.20.70", "42.224.172.154"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: Legitimate scheduled system update via URLhaus
Description: A system administrator schedules a legitimate system update using a URL from URLhaus that is mistakenly flagged as Mozi-related.
Filter/Exclusion: Exclude URLs associated with known system update repositories (e.g., https://updates.microsoft.com, https://dl.google.com/linux).
Scenario: Admin accessing a Mozi-related URL for threat intelligence
Description: A security analyst manually accesses a URL from URLhaus to research Mozi malware behavior as part of their threat intelligence process.
Filter/Exclusion: Exclude URLs accessed from known security analyst IP ranges (e.g., 192.168.1.0/24, 10.0.0.0/8) or user agents associated with security tools (e.g., Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0).
Scenario: Legitimate log collection via Mozi-like URL
Description: A log aggregation tool (e.g., Splunk, ELK Stack) uses a URL from URLhaus to collect logs from remote servers, which is flagged as Mozi C2 activity.
Filter/Exclusion: Exclude URLs that match known log collection endpoints (e.g., https://logs.example.com/api/v1/collect) or include specific headers like User-Agent: Splunk or X-Log-Source: ELK.
Scenario: Malicious website access by a user for research purposes
Description: A user accesses a legitimate but suspicious-looking website (e.g., a phishing simulation site) that is mistakenly flagged as a Mozi C2 URL.
Filter/Exclusion: Exclude URLs that