Adversaries may use ClearFake IOCs to exfiltrate data or establish command and control, leveraging compromised credentials to move laterally within the network. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: ClearFake Total IOCs: 83 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | et5qogz2.one1xbet.promo | payload_delivery | 2026-06-07 | 100% |
| domain | nqbecrh.one1x.bet | payload_delivery | 2026-06-07 | 100% |
| domain | g2z2cnlz.pascal.casino | payload_delivery | 2026-06-07 | 100% |
| domain | pascal.casino | payload_delivery | 2026-06-07 | 100% |
| domain | 5bksyseg.betistmobil.com | payload_delivery | 2026-06-07 | 100% |
| domain | zfrfayl.one1xbet.app | payload_delivery | 2026-06-07 | 100% |
| domain | l9tynneu.mybookieiran.com | payload_delivery | 2026-06-07 | 100% |
| domain | ofin6ctx.mybookieiran.com | payload_delivery | 2026-06-07 | 100% |
| domain | a96ampff.mrgreenbetiran.com | payload_delivery | 2026-06-07 | 100% |
| domain | ksaj1cgw.mrgreenbetiran.com | payload_delivery | 2026-06-07 | 100% |
| domain | avygupe.one1xbet.casino | payload_delivery | 2026-06-07 | 100% |
| domain | mqbjnx.jamjahani.app | payload_delivery | 2026-06-07 | 100% |
| domain | ilmlvxt.lolsurpriseball.com | payload_delivery | 2026-06-07 | 100% |
| domain | bvnvrjx.kvbel.com | payload_delivery | 2026-06-07 | 100% |
| domain | hdkkxsm.kbshavanese.com | payload_delivery | 2026-06-07 | 100% |
| domain | 3mm5jtvt.mrbet90.com | payload_delivery | 2026-06-07 | 100% |
| domain | s1s2jfjh.mrbet90.com | payload_delivery | 2026-06-07 | 100% |
| domain | lbgkfp.jamjahani2026.football | payload_delivery | 2026-06-07 | 100% |
| domain | boixyye.jogodobicho.games | payload_delivery | 2026-06-07 | 100% |
| domain | yxjmsvr.jamjahani.world | payload_delivery | 2026-06-07 | 100% |
| domain | ugmitqk.one1xbet.poker | payload_delivery | 2026-06-07 | 100% |
| domain | qtcfxojh.mostbetresmi.site | payload_delivery | 2026-06-07 | 100% |
| domain | jqx88sge.mostbetresmi.site | payload_delivery | 2026-06-07 | 100% |
| domain | 2dz4gggg.betgopro.com | payload_delivery | 2026-06-07 | 100% |
| domain | avhbto.yasbet90.com | payload_delivery | 2026-06-07 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["et5qogz2.one1xbet.promo", "nqbecrh.one1x.bet", "g2z2cnlz.pascal.casino", "pascal.casino", "5bksyseg.betistmobil.com", "zfrfayl.one1xbet.app", "l9tynneu.mybookieiran.com", "ofin6ctx.mybookieiran.com", "a96ampff.mrgreenbetiran.com", "ksaj1cgw.mrgreenbetiran.com", "avygupe.one1xbet.casino", "mqbjnx.jamjahani.app", "ilmlvxt.lolsurpriseball.com", "bvnvrjx.kvbel.com", "hdkkxsm.kbshavanese.com", "3mm5jtvt.mrbet90.com", "s1s2jfjh.mrbet90.com", "lbgkfp.jamjahani2026.football", "boixyye.jogodobicho.games", "yxjmsvr.jamjahani.world", "ugmitqk.one1xbet.poker", "qtcfxojh.mostbetresmi.site", "jqx88sge.mostbetresmi.site", "2dz4gggg.betgopro.com", "avhbto.yasbet90.com", "aarcyyo.one1xbet.net", "!k!.one1xbet.net", "jrnxmey.one1xbet.casino", "one1xbet.casino", "lzsmmza.one1xbet.app", "one1xbet.app", "efd7fi03.monti.bet", "eor4l2gc.monti.bet", "lfrzjdk.one1x.bet", "ivqivx.xenicalby6.com", "!k!.one1x.bet", "njhhbmh.olabahiskayit.com", "!k!.olabahiskayit.com", "gqmalnx.ogwil.bet", "!k!.ogwil.bet", "ogwil.bet", "!k!.oghab.bet", "oghab.bet", "60hx33ds.minescasino.bet", "ajm1kklw.minescasino.bet", "minescasino.bet", "geovin.bet404farsi.com", "kvzkqjf.ninjafruitcubes.bet", "!k!.ninjafruitcubes.bet", "nbabet.promo"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update service includes a file that matches one of the ClearFake IOCs.
Filter/Exclusion: Check the file_name field for known Windows Update file patterns (e.g., *.msu, *.msp) or use the process.name field to filter for Windows Update or svchost.exe.
Scenario: Scheduled Job for Log File Rotation
Description: A scheduled job (e.g., via schtasks.exe) rotates log files, and the log file path matches an IOC listed in the ClearFake dataset.
Filter/Exclusion: Use the process.name field to exclude schtasks.exe or logrotate.exe, and check the process.args for log rotation commands.
Scenario: Admin Task for Malware Scan with Anti-Virus Tools
Description: An administrator runs a malware scan using a legitimate tool like Microsoft Defender or Malwarebytes, and the scan process includes a file that matches a ClearFake IOC.
Filter/Exclusion: Filter by process.name to exclude known AV tools (e.g., MsMpEng.exe, mbam.exe) or use the user.name field to identify admin tasks.
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool like Wireshark or tcpdump generates traffic that includes IP addresses or domains matching ClearFake IOCs.
Filter/Exclusion: Use the process.name field to exclude Wireshark or tcpdump, or filter by process.parent.name to identify legitimate monitoring processes.
Scenario: Legitimate Software Distribution via Group Policy
Description: A company distributes a legitimate software package (e.g., **Adobe