The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage attacks that could lead to data exfiltration or system compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 14 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gfrewds.bet-303.fun | payload_delivery | 2026-06-03 | 100% |
| domain | bet-303.fun | payload_delivery | 2026-06-03 | 100% |
| domain | 6aq224cu.luxerabet100.com | payload_delivery | 2026-06-03 | 100% |
| domain | yr126pdf.luxerabet100.com | payload_delivery | 2026-06-03 | 100% |
| domain | sun8i9tk.luxerabet1000.com | payload_delivery | 2026-06-03 | 100% |
| domain | 4snfemll.luxerabet1000.com | payload_delivery | 2026-06-03 | 100% |
| domain | yzqawgz5[.]7lf.net | payload_delivery | 2026-06-03 | 100% |
| domain | rp05pfgt[.]7lf.net | payload_delivery | 2026-06-03 | 100% |
| domain | vrlh0wdy.eutoor.com | payload_delivery | 2026-06-03 | 100% |
| domain | ymihaw7a.eutoor.com | payload_delivery | 2026-06-03 | 100% |
| domain | b7tibc5u.luxerabet1000.com | payload_delivery | 2026-06-03 | 100% |
| domain | hsy1u75o.luxerabet1000.com | payload_delivery | 2026-06-03 | 100% |
| domain | pf6n62u7.luxerabet5.com | payload_delivery | 2026-06-02 | 100% |
| domain | 6rdv0wtc.luxerabet5.com | payload_delivery | 2026-06-02 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["gfrewds.bet-303.fun", "bet-303.fun", "6aq224cu.luxerabet100.com", "yr126pdf.luxerabet100.com", "sun8i9tk.luxerabet1000.com", "4snfemll.luxerabet1000.com", "yzqawgz5.7lf.net", "rp05pfgt.7lf.net", "vrlh0wdy.eutoor.com", "ymihaw7a.eutoor.com", "b7tibc5u.luxerabet1000.com", "hsy1u75o.luxerabet1000.com", "pf6n62u7.luxerabet5.com", "6rdv0wtc.luxerabet5.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for log cleanup
Description: A scheduled task runs clearfake.exe as part of a log rotation or cleanup process.
Filter/Exclusion: Exclude processes with CommandLine containing --log-rotate or --cleanup.
Scenario: Admin using ClearFake for forensic analysis
Description: A security analyst uses clearfake.exe to analyze malware artifacts or sandboxed environments.
Filter/Exclusion: Exclude processes initiated by users in the Administrators group with User field matching known analysts.
Scenario: System update or patching tool using ClearFake
Description: A third-party patching tool (e.g., PatchMaster.exe) includes clearfake.exe as part of its update mechanism.
Filter/Exclusion: Exclude processes where ParentProcess is PatchMaster.exe or UpdateService.exe.
Scenario: Legitimate system diagnostic tool
Description: A system diagnostic tool (e.g., SysDiagTool.exe) uses clearfake.exe for memory analysis or performance monitoring.
Filter/Exclusion: Exclude processes where ParentProcess is SysDiagTool.exe or PerformanceMonitor.exe.
Scenario: False positive from a security software test
Description: A security tool (e.g., VirusTotalTest.exe) runs clearfake.exe as part of a test to validate detection rules.
Filter/Exclusion: Exclude processes where CommandLine contains --test or --simulate.