The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used to deliver payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections and exfiltration activities early.
IOC Summary
Threat: Mozi Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.42.68.80:41618/i | online | malware_download | 2026-05-06 |
hxxp://61.53.98.111:36947/bin.sh | online | malware_download | 2026-05-06 |
hxxp://119.185.240.16:41733/i | online | malware_download | 2026-05-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["125.42.68.80", "119.185.240.16", "61.53.98.111"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["125.42.68.80", "119.185.240.16", "61.53.98.111"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URLhaus URL used in threat intelligence sharing
Description: A security team manually shares a URL from URLhaus as part of a threat intelligence update.
Filter/Exclusion: Exclude URLs that are manually added to the threat intelligence feed or tagged with a specific source identifier (e.g., source:threatintel).
Scenario: Scheduled job for malware sample analysis
Description: A scheduled job downloads malware samples from a repository that includes URLs tagged as Mozi.
Filter/Exclusion: Exclude URLs that are part of a known malware analysis pipeline (e.g., job_name:malware_analysis or tool:virustotal).
Scenario: Admin task to update endpoint protection definitions
Description: An admin updates endpoint protection definitions, which includes URLs from URLhaus as part of signature updates.
Filter/Exclusion: Exclude URLs that are part of a known signature update process (e.g., tool:bitdefender, tool:checkpoint, or task:update_signatures).
Scenario: Internal testing of a security tool
Description: A security tool is being tested internally, and a Mozi URL is used as part of a simulated attack scenario.
Filter/Exclusion: Exclude URLs that are part of internal testing environments (e.g., source:internal_test, tool:security_tool_testing).
Scenario: Legitimate use of a Mozi-related URL for research
Description: A security researcher uses a Mozi URL from URLhaus as part of a legitimate analysis or report.
Filter/Exclusion: Exclude URLs that are associated with research activities (e.g., user:researcher, tool:mitre_attack, source:research)