The hunt hypothesis detects adversaries using Mozi malware by accessing malicious URLs listed in URLhaus, which are known to be used for initial compromise and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections and lateral movement in their environment.
IOC Summary
Threat: Mozi Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://115.49.127.70:33012/i | online | malware_download | 2026-05-18 |
hxxp://115.49.127.70:33012/bin.sh | online | malware_download | 2026-05-18 |
hxxp://219.157.48.149:37122/i | online | malware_download | 2026-05-18 |
hxxp://110.36.28.230:54129/bin.sh | online | malware_download | 2026-05-18 |
hxxp://115.63.51.21:42792/i | online | malware_download | 2026-05-18 |
hxxp://123.8.44.208:42192/i | online | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["115.49.127.70", "110.36.28.230", "123.8.44.208", "115.63.51.21", "219.157.48.149"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.49.127.70", "110.36.28.230", "123.8.44.208", "115.63.51.21", "219.157.48.149"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to verify link expiration or redirect behavior.
Filter/Exclusion: Exclude URLs containing bitly.com or shortened-links in the domain field.
Scenario: A scheduled job runs a script to fetch and validate URLs from a third-party API (e.g., Google Search Console) for analytics or reporting purposes.
Filter/Exclusion: Exclude URLs that match the domain of the API service (e.g., searchconsole.google.com) or include api in the path.
Scenario: An enterprise uses a tool like Microsoft Defender for Endpoint to automatically submit suspicious URLs for analysis, which are then flagged by the URLhaus integration.
Filter/Exclusion: Exclude URLs that originate from the Microsoft Defender for Endpoint submission endpoint (e.g., submit.microsoft.com).
Scenario: A DevOps team uses Ansible to automate the deployment of configuration files, which includes URLs pointing to internal documentation or artifact repositories.
Filter/Exclusion: Exclude URLs that match internal domain names (e.g., internal-docs.corp.example.com) or contain ansible in the path.
Scenario: A security team uses Splunk to monitor and analyze network traffic, and during a manual investigation, they input a known benign URL into the system for testing.
Filter/Exclusion: Exclude URLs that match known internal Splunk tools or test environments (e.g., splunk.com, test.splunk.com).