← Back to SOC feed Coverage →

ThreatFox: ClearFake IOCs

ioc-hunt HIGH ThreatFox
DnsEventsUrlClickEvents
iocjs-clearfakethreatfox
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-06-17T23:00:00Z · Confidence: high

Hunt Hypothesis

The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with credential theft and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could compromise sensitive data and network integrity.

IOC Summary

Malware Family: ClearFake Total IOCs: 25 IOC Types: domain, url

TypeValueThreat TypeFirst SeenConfidence
domaingorgbetkade.compayload_delivery2026-06-17100%
domainh0cbv92p.golfbetkade.compayload_delivery2026-06-17100%
domaingolfbetkade.compayload_delivery2026-06-17100%
domainh2vkq89b.angizeshfarahani.storepayload_delivery2026-06-17100%
domainfazbetkade.compayload_delivery2026-06-17100%
domainenfejwin.compayload_delivery2026-06-17100%
domain1ycpksxw.hugugmadani6.xyzpayload_delivery2026-06-17100%
domainj7n7i2dx.enfej.winpayload_delivery2026-06-17100%
urlhxxps://cdn.jsdelivr.net/gh/vitiapig/lang-28/robotpayload_delivery2026-06-17100%
domainzaminshenasi.shoppayload_delivery2026-06-17100%
urlhxxps://cdn.jsdelivr.net/gh/vitiapig/api-bd7dff3f-84b7-4bbb-a8e1-7be98555d879/jspayload_delivery2026-06-17100%
domain429jq7cf.ravanshenasi.xyzpayload_delivery2026-06-17100%
domainbvsfuyvu.leaguejazire.compayload_delivery2026-06-17100%
domainugygn.shartmag.betpayload_delivery2026-06-17100%
domainuwso33yr.riyazinikokar.xyzpayload_delivery2026-06-17100%
domaincjbbdtba.maharatmodiran.xyzpayload_delivery2026-06-17100%
domainvprhcxyu.masirpayambari.xyzpayload_delivery2026-06-17100%
domainqgkzqew.azmoonzare.onlinepayload_delivery2026-06-17100%
domainzyiirlrr.tarikhravannovin.shoppayload_delivery2026-06-17100%
domainnc45aae1.tractor11.compayload_delivery2026-06-17100%
domainysulmnsc.sanjeshravani.shoppayload_delivery2026-06-17100%
domainjwouoops.sakhtemandade.shoppayload_delivery2026-06-17100%
domainhzvho.shartbandifootballkade.onlinepayload_delivery2026-06-17100%
domainpvxvwrfu.sadreislam.xyzpayload_delivery2026-06-17100%
domainbchvsotq.questionsmotor.xyzpayload_delivery2026-06-17100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["gorgbetkade.com", "h0cbv92p.golfbetkade.com", "golfbetkade.com", "h2vkq89b.angizeshfarahani.store", "fazbetkade.com", "enfejwin.com", "1ycpksxw.hugugmadani6.xyz", "j7n7i2dx.enfej.win", "zaminshenasi.shop", "429jq7cf.ravanshenasi.xyz", "bvsfuyvu.leaguejazire.com", "ugygn.shartmag.bet", "uwso33yr.riyazinikokar.xyz", "cjbbdtba.maharatmodiran.xyz", "vprhcxyu.masirpayambari.xyz", "qgkzqew.azmoonzare.online", "zyiirlrr.tarikhravannovin.shop", "nc45aae1.tractor11.com", "ysulmnsc.sanjeshravani.shop", "jwouoops.sakhtemandade.shop", "hzvho.shartbandifootballkade.online", "pvxvwrfu.sadreislam.xyz", "bchvsotq.questionsmotor.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - ClearFake
let malicious_urls = dynamic(["https://cdn.jsdelivr.net/gh/vitiapig/lang-28/robot", "https://cdn.jsdelivr.net/gh/vitiapig/api-bd7dff3f-84b7-4bbb-a8e1-7be98555d879/js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
DnsEventsEnsure this data connector is enabled
UrlClickEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/js.clearfake/