ThreatFox: ClearFake IOCs

Hunt Hypothesis

The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with credential theft and lateral movement. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage attacks before they escalate.

IOC Summary

Malware Family: ClearFake Total IOCs: 75 IOC Types: domain

Type	Value	Threat Type	First Seen	Confidence
domain	jtnvsfr.notjustsquare.com	payload_delivery	2026-05-31	100%
domain	tmtkdhl.notjustsquare.com	payload_delivery	2026-05-31	100%
domain	dlacbhw.nonamejustsoul.com	payload_delivery	2026-05-31	100%
domain	tvnbvuv.nonamejustsoul.com	payload_delivery	2026-05-31	100%
domain	rpcmwsz.muveszetiirasok.hu	payload_delivery	2026-05-31	100%
domain	dpijuiw.muveszetiirasok.hu	payload_delivery	2026-05-31	100%
domain	czf2txr8.asion.gr	payload_delivery	2026-05-31	100%
domain	asion.gr	payload_delivery	2026-05-31	100%
domain	saprwbu.lavorcollective.com	payload_delivery	2026-05-31	100%
domain	eoyodpm.lavorcollective.com	payload_delivery	2026-05-31	100%
domain	batmemo.kreativkiteljesedes.hu	payload_delivery	2026-05-31	100%
domain	krnflmz.kreativkiteljesedes.hu	payload_delivery	2026-05-31	100%
domain	mbhofdf.kortalanmuveszet.hu	payload_delivery	2026-05-31	100%
domain	frngvyb.kortalanmuveszet.hu	payload_delivery	2026-05-31	100%
domain	ajfohrg.designyourlifeinflow.com	payload_delivery	2026-05-31	100%
domain	gyjqgsz.designyourlifeinflow.com	payload_delivery	2026-05-31	100%
domain	uuzhapr.attilahatar.com	payload_delivery	2026-05-31	100%
domain	drycbeg.attilahatar.com	payload_delivery	2026-05-31	100%
domain	attilahatar.com	payload_delivery	2026-05-31	100%
domain	dbdndfs.artisourlifestyle.com	payload_delivery	2026-05-31	100%
domain	obmjbub.artisourlifestyle.com	payload_delivery	2026-05-31	100%
domain	artisourlifestyle.com	payload_delivery	2026-05-31	100%
domain	tuejpvg.agivedresphotography.com	payload_delivery	2026-05-31	100%
domain	xynsirt.agivedresphotography.com	payload_delivery	2026-05-31	100%
domain	aktinovolia.eu	payload_delivery	2026-05-31	100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["jtnvsfr.notjustsquare.com", "tmtkdhl.notjustsquare.com", "dlacbhw.nonamejustsoul.com", "tvnbvuv.nonamejustsoul.com", "rpcmwsz.muveszetiirasok.hu", "dpijuiw.muveszetiirasok.hu", "czf2txr8.asion.gr", "asion.gr", "saprwbu.lavorcollective.com", "eoyodpm.lavorcollective.com", "batmemo.kreativkiteljesedes.hu", "krnflmz.kreativkiteljesedes.hu", "mbhofdf.kortalanmuveszet.hu", "frngvyb.kortalanmuveszet.hu", "ajfohrg.designyourlifeinflow.com", "gyjqgsz.designyourlifeinflow.com", "uuzhapr.attilahatar.com", "drycbeg.attilahatar.com", "attilahatar.com", "dbdndfs.artisourlifestyle.com", "obmjbub.artisourlifestyle.com", "artisourlifestyle.com", "tuejpvg.agivedresphotography.com", "xynsirt.agivedresphotography.com", "aktinovolia.eu", "renia.gr", "hsvisjx.ktsagarakis.gr", "qsnovga.intelect.gr", "intelect.gr", "mexyzfs0.aktinovolia.com", "aktinovolia.com", "kccqafs.enviroment.gr", "enviroment.gr", "sqcbwqj.popi999.net", "pnarkhn.popi999.net", "qiwiqfdb.botvn.net", "sgl5ele3.botvn.net", "knmglbn.sm188dvlv.cfd", "mmlthjl.sm188dvlv.cfd", "lbcsuyq.payestation.com", "tphlksj.payestation.com", "ehshryo.zsatom.hu", "kogvktw.zsatom.hu", "izrbtds.wlwyb.com", "ylthnck.wlwyb.com", "b53jdkck.photoshopvn.net", "jvczj219.photoshopvn.net", "xjlghqc.baovietnam.me", "baovietnam.me", "psiwhza.baocongnghe.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
DnsEvents	Ensure this data connector is enabled

References

• ThreatFox — ClearFake

False Positive Guidance

• Scenario: Legitimate System Update via Chocolatey
  Description: A system update using Chocolatey installs a package that matches one of the ClearFake IOCs due to a shared filename or hash.
  Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"

• Scenario: Scheduled Job for Log Rotation
  Description: A scheduled task runs a script that generates a file with a name matching a ClearFake IOC, such as rotate_logs.exe.
  Filter/Exclusion: process.name != "rotate_logs.exe" or file.path != "C:\\Windows\\System32\\rotate_logs.exe"

• Scenario: Admin Task for Patch Management
  Description: An administrator uses a tool like PowerShell or Task Scheduler to run a script that includes a file or command matching a ClearFake IOC.
  Filter/Exclusion: process.name != "powershell.exe" or process.args != " -Command ..."

• Scenario: Legitimate Software Installation via SCCM
  Description: A software deployment via System Center Configuration Manager (SCCM) includes a file that matches a ClearFake IOC due to a shared hash or filename.
  Filter/Exclusion: process.name != "ccmexec.exe" or file.path != "C:\\Windows\\System32\\ccmexec.exe"

• Scenario: User-Initiated File Download for Research
  Description: A user downloads a file (e.g., clearfake_research.exe) for analysis, which matches a ClearFake IOC.
  Filter/Exclusion: process.user != "Administrator" or file.sha256 != "known_research_file_hash"