The hunt hypothesis detects adversary use of Mozi malware distribution URLs to compromise endpoints and exfiltrate data. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential breaches before lateral movement and data theft occur.
IOC Summary
Threat: Mozi Total URLs: 5 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.36.1.80:60125/i | online | malware_download | 2026-05-12 |
hxxp://110.36.1.80:60125/bin.sh | online | malware_download | 2026-05-12 |
hxxp://182.112.36.145:56455/i | online | malware_download | 2026-05-12 |
hxxp://61.158.158.24:41734/i | online | malware_download | 2026-05-12 |
hxxp://61.158.158.24:41734/bin.sh | online | malware_download | 2026-05-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["110.36.1.80", "61.158.158.24", "182.112.36.145"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.36.1.80", "61.158.158.24", "182.112.36.145"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching process using a URLhaus-listed URL
Filter/Exclusion: Exclude URLs associated with known system update mechanisms (e.g., windowsupdate.microsoft.com, updates.microsoft.com) or use a filter like url contains "windowsupdate" or url contains "microsoft.com".
Scenario: Scheduled job for endpoint protection software (e.g., CrowdStrike, SentinelOne) downloading signature updates
Filter/Exclusion: Exclude URLs that match known vendor update domains (e.g., crowdstrike.com, sentinelone.com) using a filter like url contains "crowdstrike" or url contains "sentinelone".
Scenario: Admin task for deploying a legitimate security tool (e.g., Microsoft Defender ATP, CrowdStrike Falcon) via a script or configuration management tool (e.g., Ansible, Puppet)
Filter/Exclusion: Exclude URLs that match known deployment URLs for security tools (e.g., defenderatp.microsoft.com, falcon.crowdstrike.com) using a filter like url contains "defenderatp" or url contains "falcon".
Scenario: User accessing a phishing simulation URL from a security awareness training platform (e.g., KnowBe4, PhishMe)
Filter/Exclusion: Exclude URLs that match known training platforms (e.g., knowbe4.com, phishme.com) using a filter like url contains "knowbe4" or url contains "phishme".
Scenario: Internal tool or script that uses a URLhaus-listed URL for testing or development purposes
Filter/Exclusion: Exclude URLs that are part of internal development or testing environments (e.g., dev.example.com, test.example.com) using a filter like url contains "dev" or `url contains ”