The detection identifies potential Mozi malware infections through suspicious URLs linked to the URLhaus intelligence feed, indicating an adversary is attempting to deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Threat: Mozi Total URLs: 8 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.41.2.191:36072/i | online | malware_download | 2026-05-20 |
hxxp://123.8.37.56:54899/i | online | malware_download | 2026-05-20 |
hxxp://123.8.37.56:54899/bin.sh | online | malware_download | 2026-05-20 |
hxxp://123.10.235.148:47525/bin.sh | online | malware_download | 2026-05-20 |
hxxp://115.55.54.153:41222/i | online | malware_download | 2026-05-20 |
hxxp://115.55.54.153:41222/bin.sh | online | malware_download | 2026-05-20 |
hxxp://42.224.253.5:58209/i | online | malware_download | 2026-05-20 |
hxxp://42.224.253.5:58209/bin.sh | online | malware_download | 2026-05-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["123.10.235.148", "123.8.37.56", "125.41.2.191", "42.224.253.5", "115.55.54.153"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["123.10.235.148", "123.8.37.56", "125.41.2.191", "42.224.253.5", "115.55.54.153"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify link behavior.
Filter/Exclusion: Exclude URLs containing bitly.com or tinyurl.com in the domain field.
Scenario: A scheduled job runs a script that downloads a legitimate software update from a known secure source (e.g., Microsoft Update).
Filter/Exclusion: Exclude URLs containing windowsupdate.com or update.microsoft.com in the domain field.
Scenario: An IT team is performing a penetration test and uses a controlled environment to simulate a phishing attack using a Mozi-related URL.
Filter/Exclusion: Exclude URLs that match the IP address range used in the internal penetration testing lab (e.g., 192.168.0.0/16).
Scenario: A user clicks on a legitimate support link from a company’s internal portal (e.g., ServiceNow) to access a troubleshooting guide.
Filter/Exclusion: Exclude URLs containing servicenow.com or service-now.com in the domain field.
Scenario: A DevOps team uses a CI/CD pipeline (e.g., Jenkins) to deploy a script that includes a URL to a public code repository (e.g., GitHub).
Filter/Exclusion: Exclude URLs containing github.com or gitlab.com in the domain field.