The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for initial compromise and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential breaches early in the attack lifecycle.
IOC Summary
Threat: Mozi Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://39.87.238.242:44751/i | online | malware_download | 2026-05-13 |
hxxp://110.36.14.214:42252/i | online | malware_download | 2026-05-13 |
hxxp://115.61.111.142:46490/i | online | malware_download | 2026-05-13 |
hxxp://112.238.38.241:48364/i | online | malware_download | 2026-05-13 |
hxxp://222.142.243.253:48975/bin.sh | online | malware_download | 2026-05-13 |
hxxp://110.36.24.162:50006/i | online | malware_download | 2026-05-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["115.61.111.142", "39.87.238.242", "110.36.14.214", "222.142.243.253", "110.36.24.162", "112.238.38.241"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.61.111.142", "39.87.238.242", "110.36.14.214", "222.142.243.253", "110.36.24.162", "112.238.38.241"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service using a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus.com domain or any URL containing the substring urlhaus in the url field.
Scenario: A scheduled job runs a script that downloads and processes benign URLs from a trusted source (e.g., wget or curl) as part of a data ingestion pipeline.
Filter/Exclusion: Exclude URLs that are part of a known data ingestion process, such as those matching the ingestion_pipeline tag or originating from a specific IP range used by the data pipeline.
Scenario: An IT team member is performing a security audit and manually accesses a Mozi-related URL from URLhaus to analyze its behavior in a sandboxed environment.
Filter/Exclusion: Exclude URLs accessed from a specific user account (e.g., security_audit) or those that match the sandboxed_analysis tag.
Scenario: A backup or archive process includes URLs from URLhaus as part of a historical record or documentation, such as in a PDF or HTML file.
Filter/Exclusion: Exclude URLs that are embedded in documents (e.g., file_type = PDF or HTML) or those that are part of a known documentation archive.
Scenario: A DevOps team uses a CI/CD pipeline that includes a test URL from URLhaus to validate URL parsing logic in a tool like curl or wget.
Filter/Exclusion: Exclude URLs that are part of a CI/CD pipeline (e.g., job_name contains ci_cd or pipeline) or those that match a specific test URL pattern used in development environments.