The hypothesis is that the detected URLs are associated with the Mozi malware, which is used for command and control communication, indicating potential compromise of endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate initial access and command and control activities by advanced persistent threats.
IOC Summary
Threat: Mozi Total URLs: 9 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.37.87.108:51711/bin.sh | online | malware_download | 2026-05-19 |
hxxp://125.40.81.168:55552/i | online | malware_download | 2026-05-19 |
hxxp://125.42.236.160:60937/i | online | malware_download | 2026-05-19 |
hxxp://219.157.13.123:37805/i | online | malware_download | 2026-05-19 |
hxxp://110.39.233.163:54681/Mozi.m | offline | malware_download | 2026-05-19 |
hxxp://125.42.236.160:60937/bin.sh | online | malware_download | 2026-05-19 |
hxxp://219.157.13.123:37805/bin.sh | online | malware_download | 2026-05-19 |
hxxp://110.36.80.170:41722/bin.sh | online | malware_download | 2026-05-19 |
hxxp://110.39.255.227:39265/bin.sh | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["110.36.80.170", "110.37.87.108", "125.42.236.160", "110.39.255.227", "125.40.81.168", "219.157.13.123"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.36.80.170", "110.37.87.108", "125.42.236.160", "110.39.255.227", "125.40.81.168", "219.157.13.123"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a Mozi-related URL from a trusted source (e.g., Microsoft Update or a known enterprise patch server).
Filter/Exclusion: Exclude URLs from known trusted domains such as update.microsoft.com, support.microsoft.com, or internal enterprise patch servers.
Scenario: Admin Task for Endpoint Protection Scan
Description: An administrator runs a full system scan using Microsoft Defender ATP or CrowdStrike Falcon that temporarily accesses a Mozi-related URL to download a signature or update.
Filter/Exclusion: Exclude URLs associated with known security tools like microsoft.com, crowdstrike.com, or endpoint.microsoft.com.
Scenario: Internal DevOps Pipeline Artifact Download
Description: A DevOps pipeline (e.g., using Jenkins, GitLab CI/CD, or Azure DevOps) pulls a dependency or artifact from a private registry or internal repository that has a URL matching a Mozi pattern.
Filter/Exclusion: Exclude URLs from internal repositories or private registries (e.g., artifactory.internal.com, nexus.internal.com).
Scenario: User-Initiated File Download for Research
Description: A security researcher or analyst manually downloads a file from a legitimate source (e.g., VirusTotal, AlienVault OTX) that includes a Mozi-related URL as part of a sandboxing or analysis process.
Filter/Exclusion: Exclude URLs from known security research platforms like virustotal.com, otx.alienvault.com, or malwarebytes.com.
Scenario: Email Client Accessing Public Web Content
Description: An email client (e.g., Microsoft Outlook, Thunderbird) accesses a public website or service (e.g.,