The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with sophisticated phishing and credential theft campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage attacks that could compromise sensitive data and infrastructure.
IOC Summary
Malware Family: ClearFake Total IOCs: 74 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ggifzobt.hugugmadani3.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | 29jpudxc.geotechnictahuni.store | payload_delivery | 2026-06-13 | 100% |
| domain | sh6rkpx6.shartmag.bet | payload_delivery | 2026-06-13 | 100% |
| domain | alrwomdp.restaurantguideaarhus.com | payload_delivery | 2026-06-13 | 100% |
| domain | obmhxqg.rocketbet.pro | payload_delivery | 2026-06-13 | 100% |
| domain | ggcjxgov.fununetadris.shop | payload_delivery | 2026-06-13 | 100% |
| domain | v47e4385.fununetadris.shop | payload_delivery | 2026-06-13 | 100% |
| domain | gsdzofat.winxbet.co | payload_delivery | 2026-06-13 | 100% |
| domain | krigo.ecologyardakani.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | aoeoelfz.hugugbime.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | jyvartai.hugugdaryayi.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | kg0kdihy.gavaedfagahe.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | psmecdlr.hugugedari.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | dngzhceb.hugugmadani3.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | mhhalmi.pokerkade.online | payload_delivery | 2026-06-13 | 100% |
| domain | nwklhlmm.hugugmadani6.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | ezrzb.downloadquran.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | 2igj4kg6.shartbandifootballkade.online | payload_delivery | 2026-06-13 | 100% |
| domain | 9fmgmj87.garatequran.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | wgtpfakz.akhlagvaahkam.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | p4pav6zh.garatequran.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | xmxmplzc.hugugmadanikatouzian.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | qjgjbwpw.hugugnasiri.xyz | payload_delivery | 2026-06-13 | 100% |
| domain | cdvmgdw.melbetkade.com | payload_delivery | 2026-06-13 | 100% |
| domain | wutgubeq.hugugtatbigi.xyz | payload_delivery | 2026-06-13 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["ggifzobt.hugugmadani3.xyz", "29jpudxc.geotechnictahuni.store", "sh6rkpx6.shartmag.bet", "alrwomdp.restaurantguideaarhus.com", "obmhxqg.rocketbet.pro", "ggcjxgov.fununetadris.shop", "v47e4385.fununetadris.shop", "gsdzofat.winxbet.co", "krigo.ecologyardakani.xyz", "aoeoelfz.hugugbime.xyz", "jyvartai.hugugdaryayi.xyz", "kg0kdihy.gavaedfagahe.xyz", "psmecdlr.hugugedari.xyz", "dngzhceb.hugugmadani3.xyz", "mhhalmi.pokerkade.online", "nwklhlmm.hugugmadani6.xyz", "ezrzb.downloadquran.xyz", "2igj4kg6.shartbandifootballkade.online", "9fmgmj87.garatequran.xyz", "wgtpfakz.akhlagvaahkam.xyz", "p4pav6zh.garatequran.xyz", "xmxmplzc.hugugmadanikatouzian.xyz", "qjgjbwpw.hugugnasiri.xyz", "cdvmgdw.melbetkade.com", "wutgubeq.hugugtatbigi.xyz", "9xt13o7k.moarefeslami.xyz", "fmhkmjyi.hugugtejarat4.xyz", "tkzvl.nagshekeshi.xyz", "edtmogyp.red90.casino", "cowhdabq.shartbandi.games", "x6veozdp.ganuneasasi.xyz", "trqyckok.ganuneasasi.xyz", "sjgnfsm.megaparikade.com", "hkhyaprc.betyek.net", "geirvzju.betxane.com", "xipuryqj.betwanna.com", "ukpoojmk.shansbartar.bet", "wumyhfj.livebetkade.com", "9w0va69z.shansbartar.bet", "4y04a82z.hattrickbetkade.com", "raqmk.mururhesabdari.xyz", "hqqacfwe.betforwardkade.com", "k96h8q0b.fubet24.net", "8gl6eqnn.fubet24.net", "yzqzbtkr.betfidokade.com", "koiffqfm.enfejarkade.online", "dxxxyoqr.bet313.org", "llfarlit.bet120x.net", "vidsloii.bcgamekade.online", "g1zevlqh.casinokade.online"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that matches one of the ClearFake IOCs due to a shared filename or hash.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a script that generates a file with a name matching a ClearFake IOC, such as rotate_logs.exe.
Filter/Exclusion: process.name != "rotate_logs.exe" or process.parent.name != "schtasks.exe"
Scenario: Admin Task for Patch Management
Description: An administrator manually runs a patching tool (e.g., PatchManager.exe) that has a hash or filename matching a ClearFake IOC.
Filter/Exclusion: process.name != "PatchManager.exe" or process.parent.name != "cmd.exe"
Scenario: Legitimate Software Installation via SCCM
Description: A software deployment via System Center Configuration Manager (SCCM) includes a package with a filename or hash that matches a ClearFake IOC.
Filter/Exclusion: process.name != "cmstp.exe" or process.parent.name != "ccmexec.exe"
Scenario: PowerShell Script for Configuration Management
Description: A PowerShell script used for configuration management (e.g., Configure-Environment.ps1) includes a file or command that matches a ClearFake IOC.
Filter/Exclusion: process.name != "powershell.exe" or script.name != "Configure-Environment.ps1"