The detection identifies potential Mozi malware distribution through malicious URLs, which are known to be used for initial compromise and command and control communication. SOC teams should proactively hunt for these URLs in Azure Sentinel to disrupt adversarial campaigns early and prevent lateral movement within the network.
IOC Summary
Threat: Mozi Total URLs: 12 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://61.52.192.84:49978/i | online | malware_download | 2026-06-04 |
hxxp://46.236.65.161:39405/i | online | malware_download | 2026-06-04 |
hxxp://61.52.192.84:49978/bin.sh | online | malware_download | 2026-06-04 |
hxxp://46.236.65.161:39405/bin.sh | online | malware_download | 2026-06-04 |
hxxp://125.40.83.202:37339/i | online | malware_download | 2026-06-04 |
hxxp://125.40.83.202:37339/bin.sh | online | malware_download | 2026-06-04 |
hxxp://182.121.152.248:32812/i | online | malware_download | 2026-06-04 |
hxxp://39.79.141.16:35636/i | online | malware_download | 2026-06-04 |
hxxp://203.177.28.149:59488/i | offline | malware_download | 2026-06-04 |
hxxp://115.55.7.204:43170/i | online | malware_download | 2026-06-04 |
hxxp://203.177.28.149:59488/bin.sh | online | malware_download | 2026-06-04 |
hxxp://112.248.141.53:34850/i | online | malware_download | 2026-06-04 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["182.121.152.248", "46.236.65.161", "39.79.141.16", "125.40.83.202", "203.177.28.149", "112.248.141.53", "61.52.192.84", "115.55.7.204"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["182.121.152.248", "46.236.65.161", "39.79.141.16", "125.40.83.202", "203.177.28.149", "112.248.141.53", "61.52.192.84", "115.55.7.204"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URLhaus URL used in threat intelligence sharing
Description: A security team manually shares a URLhaus entry containing a Mozi URL as part of a threat intelligence update.
Filter/Exclusion: Check for the presence of a known threat intelligence tool (e.g., CrowdStrike Falcon, Microsoft Defender ATP) in the source IP or user context. Exclude URLs associated with internal threat intelligence platforms.
Scenario: Scheduled system update or patching job
Description: A scheduled job runs a system update that includes a URL from URLhaus, which is flagged as Mozi.
Filter/Exclusion: Filter URLs that match known patching or update servers (e.g., windowsupdate.microsoft.com, updates.microsoft.com). Exclude URLs that match the domain of the enterprise’s internal patching server.
Scenario: Admin task to download malware samples for analysis
Description: A security analyst downloads a Mozi sample from URLhaus for forensic analysis using tools like Cuckoo Sandbox or Sandboxie.
Filter/Exclusion: Exclude URLs that originate from or are associated with sandboxing tools (e.g., cuckoo.sh, sandboxie.com) or internal analysis platforms (e.g., internal-sandbox.example.com).
Scenario: Internal tool for generating test payloads
Description: An internal tool or script generates test payloads for security testing, which includes a Mozi URL from URLhaus.
Filter/Exclusion: Filter URLs that include test or staging subdomains (e.g., test.example.com, dev.example.com) or match internal testing infrastructure.
Scenario: Legitimate use of URLhaus in SIEM correlation rules
Description: A SIEM rule correlates events with URLhaus entries, including Mozi URLs, as part of automated threat detection.
Filter/Exclusion: Exclude URLs that