The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to data exfiltration or system compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 16 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | sjn9cbzs.betvarzeshkade.online | payload_delivery | 2026-06-19 | 100% |
| domain | tarbiyateslami.xyz | payload_delivery | 2026-06-19 | 100% |
| url | hxxps://cdn.jsdelivr.net/gh/arinao7/86227780-d251hllg | payload_delivery | 2026-06-19 | 100% |
| domain | owxoxg4v.jetbetkade.com | payload_delivery | 2026-06-19 | 100% |
| domain | s18b1z48.tarahisystem.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | tarahisystem.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | 0q26dscq.anodaz.vip | payload_delivery | 2026-06-19 | 100% |
| domain | 2rvmsbh4.bet303.download | payload_delivery | 2026-06-19 | 100% |
| domain | fvkyh2up.testpaye.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | aygi86ej.tahlilsazeha.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | eub0atxx.tafsirnasiri.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | borb5c9q.megaparikade.com | payload_delivery | 2026-06-19 | 100% |
| domain | i9yfz7a0.asibshenasiyahya.shop | payload_delivery | 2026-06-19 | 100% |
| domain | dy6t49rl.akhlagvaahkam.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | lh7umyc5.riyazishahkilid.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | riyazishahkilid.xyz | payload_delivery | 2026-06-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["sjn9cbzs.betvarzeshkade.online", "tarbiyateslami.xyz", "owxoxg4v.jetbetkade.com", "s18b1z48.tarahisystem.xyz", "tarahisystem.xyz", "0q26dscq.anodaz.vip", "2rvmsbh4.bet303.download", "fvkyh2up.testpaye.xyz", "aygi86ej.tahlilsazeha.xyz", "eub0atxx.tafsirnasiri.xyz", "borb5c9q.megaparikade.com", "i9yfz7a0.asibshenasiyahya.shop", "dy6t49rl.akhlagvaahkam.xyz", "lh7umyc5.riyazishahkilid.xyz", "riyazishahkilid.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - ClearFake
let malicious_urls = dynamic(["https://cdn.jsdelivr.net/gh/arinao7/86227780-d251hllg"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Microsoft Update
Description: A system update from Microsoft Windows Update includes a file that matches one of the ClearFake IOCs due to a naming similarity.
Filter/Exclusion: Check the file’s digital signature and origin. Use a filter like file.hash.sha256 != "known_clearfake_hash" or process.name != "wuauclt.exe".
Scenario: Scheduled Job for Log File Rotation
Description: A scheduled task runs a script to rotate log files, which may create files with names similar to known ClearFake IOCs.
Filter/Exclusion: Exclude files created by log rotation processes using a filter like process.name != "logrotate.exe" or file.path != "/var/log/rotation_*".
Scenario: Admin Task for Patch Management
Description: An administrator runs a patch management tool (e.g., Microsoft Endpoint Manager) that temporarily creates files matching ClearFake IOCs during the patching process.
Filter/Exclusion: Exclude files created by known patching tools using a filter like process.name != "setup.exe" or file.name != "patch_temp_*.exe".
Scenario: Legitimate Third-Party Software Installation
Description: A legitimate third-party application (e.g., Adobe Acrobat) is installed, and one of its components has a file name or hash that matches a ClearFake IOC.
Filter/Exclusion: Exclude files from trusted vendors using a filter like file.name != "AcroRd32.exe" or file.hash.sha256 != "trusted_vendor_hash".
Scenario: User-Initiated File Cleanup Task
Description: A user runs a file cleanup tool (e.g., CCleaner) that temporarily creates or moves files with names similar to ClearFake IOCs.