The ThreatFox: Mozi IOCs rule detects potential adversary activity linked to the Mozi malware family through known indicators of compromise, which are commonly used in targeted attacks to establish persistence and exfiltrate data. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage threats before they cause significant damage to the environment.
IOC Summary
Malware Family: Mozi Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 112[.]242[.]178[.]250:50997 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 59[.]96[.]136[.]199:60001 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 46[.]99[.]151[.]227:2223 | botnet_cc | 2026-05-21 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mozi
let malicious_ips = dynamic(["46.99.151.227", "59.96.136.199", "112.242.178.250"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.99.151.227", "59.96.136.199", "112.242.178.250"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Mozi-Related Tools
Description: A legitimate scheduled backup process uses a tool like mozi-backup or mozi-restore for data recovery.
Filter/Exclusion: Exclude processes containing mozi-backup, mozi-restore, or backup in the command line.
Scenario: Admin Task to Update Mozi Configuration Files
Description: An administrator manually updates Mozi configuration files using tools like mozi-config or mozi-setup.
Filter/Exclusion: Exclude processes with mozi-config, mozi-setup, or config in the command line.
Scenario: Log Analysis Using Mozi Log Parser
Description: A security analyst uses a log parser tool like mozi-log-analyzer to review system logs for troubleshooting.
Filter/Exclusion: Exclude processes containing mozi-log-analyzer, log, or analyze in the command line.
Scenario: Automated Job to Clean Up Mozi Cache
Description: A scheduled job runs mozi-cache-cleaner to remove old cache files from the Mozi application directory.
Filter/Exclusion: Exclude processes with mozi-cache-cleaner, clean, or cache in the command line.
Scenario: Integration with Mozi API for Reporting
Description: A reporting tool like mozi-report-generator is used to pull data from Mozi for internal dashboards.
Filter/Exclusion: Exclude processes containing mozi-report-generator, report, or generate in the command line.