The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used to deliver payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections and exfiltration activities early.
IOC Summary
Threat: Mozi Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.41.222.70:56747/bin.sh | online | malware_download | 2026-05-25 |
hxxp://125.45.58.49:35180/i | online | malware_download | 2026-05-25 |
hxxp://125.45.58.49:35180/bin.sh | online | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["125.45.58.49", "125.41.222.70"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["125.45.58.49", "125.41.222.70"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify link behavior.
Filter/Exclusion: Exclude URLs containing bitly.com or shortened-links in the URL path.
Scenario: A scheduled job runs a script to fetch updates from a known safe repository (e.g., GitHub Actions) using a URL that matches the Mozi pattern.
Filter/Exclusion: Exclude URLs containing github.com or actions.githubusercontent.com.
Scenario: A user is accessing a legitimate phishing training portal (e.g., KnowBe4) that uses a URL similar to known malicious URLs.
Filter/Exclusion: Exclude URLs containing knowbe4.com or phishing-training in the URL path.
Scenario: A backup system is using a cloud storage service (e.g., AWS S3) to transfer files, and the URL format matches the Mozi pattern.
Filter/Exclusion: Exclude URLs containing s3.amazonaws.com or aws in the domain.
Scenario: A DevOps team is using a CI/CD tool (e.g., Jenkins) to deploy code, and the URL used for artifact retrieval matches the Mozi signature.
Filter/Exclusion: Exclude URLs containing jenkins-ci.org or ci-cd-artifact in the URL path.