The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used to deliver payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromises before lateral movement and data exfiltration occur.
IOC Summary
Threat: Mozi Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://27.215.178.100:35564/i | online | malware_download | 2026-05-17 |
hxxp://61.52.83.67:36814/i | online | malware_download | 2026-05-17 |
hxxp://115.59.17.43:52271/i | online | malware_download | 2026-05-17 |
hxxp://115.59.17.43:52271/bin.sh | online | malware_download | 2026-05-17 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["27.215.178.100", "115.59.17.43", "61.52.83.67"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["27.215.178.100", "115.59.17.43", "61.52.83.67"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener service by accessing a Mozi-related URL for validation purposes.
Filter/Exclusion: Exclude URLs containing the string test-url-shortener or internal-validation.
Scenario: A scheduled job runs a script that downloads a Mozi-related URL as part of a malware analysis workflow to inspect the payload in a sandboxed environment.
Filter/Exclusion: Exclude URLs that match the domain sandbox.analysis.example.com or contain the keyword sandboxed.
Scenario: A user is accessing a legitimate phishing training page that uses a Mozi-related URL as part of a simulated attack scenario.
Filter/Exclusion: Exclude URLs that include the query parameter ?training=true or match the domain phishing-training.example.com.
Scenario: A security tool like OSSEC or CrowdStrike is configured to fetch updates from a Mozi-related URL as part of its signature database synchronization.
Filter/Exclusion: Exclude URLs that match the domain signature-updates.example.com or contain the path /update/signatures.
Scenario: A DevOps engineer is deploying a CI/CD pipeline and accesses a Mozi-related URL to fetch a pre-signed S3 bucket URL for artifact distribution.
Filter/Exclusion: Exclude URLs that include the string aws-s3-artifact or match the domain ci-cd-artifact.example.com.