The hypothesis is that the detected URLs are associated with the Mozi malware, which is used for command and control communication, indicating potential compromise of endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage malware infections before they cause significant damage.
IOC Summary
Threat: Mozi Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.227.1.83:55217/i | online | malware_download | 2026-05-21 |
hxxp://42.227.1.83:55217/bin.sh | online | malware_download | 2026-05-21 |
hxxp://115.50.42.144:58734/i | online | malware_download | 2026-05-21 |
hxxp://182.113.44.25:49108/bin.sh | online | malware_download | 2026-05-21 |
hxxp://182.117.1.235:38536/i | online | malware_download | 2026-05-21 |
hxxp://182.117.1.235:38536/bin.sh | online | malware_download | 2026-05-21 |
hxxp://27.215.84.140:51108/i | online | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["182.113.44.25", "115.50.42.144", "182.117.1.235", "27.215.84.140", "42.227.1.83"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["182.113.44.25", "115.50.42.144", "182.117.1.235", "27.215.84.140", "42.227.1.83"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via URLhaus-listed URL
Description: A system update or patch is being downloaded from a URL that is mistakenly listed in URLhaus due to a false positive.
Filter/Exclusion: Exclude URLs that match known enterprise update servers (e.g., https://download.microsoft.com, https://releases.ubuntu.com).
Example Filter: url contains "download.microsoft.com" or "releases.ubuntu.com"
Scenario: Scheduled job for malware analysis using Mozi sandbox
Description: A security team runs a scheduled job to analyze malware samples in a sandbox environment, which uses a Mozi-related tool for testing.
Filter/Exclusion: Exclude traffic originating from internal security analysis tools (e.g., Cuckoo Sandbox, Joe Sandbox).
Example Filter: source_ip in ("10.10.10.10", "10.10.10.11") or process_name contains "cuckoo"
Scenario: Admin task to download threat intelligence feeds
Description: An admin downloads a threat intelligence feed from a URL that is incorrectly flagged as Mozi-related.
Filter/Exclusion: Exclude URLs associated with known threat intelligence platforms (e.g., https://urlhaus.abuse.ch, https://threatintel.example.com).
Example Filter: url contains "urlhaus.abuse.ch" or "threatintel.example.com"
Scenario: Internal tool for generating test URLs for red team exercises
Description: A red team or security team uses an internal tool to generate test URLs for penetration testing, which may resemble Mozi URLs.
Filter/Exclusion: Exclude URLs that match internal test domains (e.g., https://test-url-01.internal, https://redteam.example.com).