The detection identifies potential phishing attempts where adversaries use malicious URLs hosted on URLhaus to deliver the Mozi backdoor, enabling remote command execution and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage espionage and persistent access threats.
IOC Summary
Threat: Mozi Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.37.59.132:42863/bin.sh | online | malware_download | 2026-05-07 |
hxxp://59.96.136.163:59229/bin.sh | online | malware_download | 2026-05-07 |
hxxp://59.180.160.78:44053/bin.sh | online | malware_download | 2026-05-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["110.37.59.132", "59.180.160.78", "59.96.136.163"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.59.132", "59.180.160.78", "59.96.136.163"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL Shortening Service Usage
Description: Employees use URL shortening services like Bitly or TinyURL for internal documentation or shared links.
Filter/Exclusion: Exclude URLs that match known shortening services (e.g., bit.ly, tinyurl.com) using a regex pattern or a custom list in SIEM.
Example Filter: url contains "bit.ly" or "tinyurl.com"
Scenario: Scheduled System Maintenance Tasks
Description: Automated maintenance tasks (e.g., via Ansible or Puppet) may generate URLs for remote script execution or asset updates.
Filter/Exclusion: Exclude URLs that match known internal maintenance endpoints (e.g., internal-mgmt.example.com/update) using a custom list or IP whitelisting.
Example Filter: ip src in 10.0.0.0/24 and url contains "update"
Scenario: Internal Monitoring and Logging Tools
Description: Tools like Splunk or ELK Stack may use internal URLs for data ingestion or dashboard access.
Filter/Exclusion: Exclude URLs that match internal monitoring endpoints (e.g., splunk.example.com:8088, kibana.example.com) using a custom list or IP whitelisting.
Example Filter: url contains "splunk.example.com" or "kibana.example.com"
Scenario: Email Marketing Campaigns with Embedded Links
Description: Marketing teams use platforms like Mailchimp or HubSpot to send campaigns with embedded URLs.
Filter/Exclusion: Exclude URLs that match known marketing domains (e.g., mailchimp.com, hubspot.com) using a custom list or domain whitelisting.
Example Filter: url contains "mailchimp.com" or "hubspot.com"
**Scenario