The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake threat group, leveraging known malicious indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover early-stage attacks and prevent lateral movement and data exfiltration.
IOC Summary
Malware Family: ClearFake Total IOCs: 78 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | xzhuzft.asyabet303.bet | payload_delivery | 2026-06-01 | 100% |
| domain | adnplvk[.]123betyek.com | payload_delivery | 2026-06-01 | 100% |
| domain | mebzjfi.saas-systems.hu | payload_delivery | 2026-06-01 | 100% |
| domain | tmnwsuz.khaled-salah.com | payload_delivery | 2026-06-01 | 100% |
| domain | pzacsqp.ariash.art | payload_delivery | 2026-06-01 | 100% |
| domain | ariash.art | payload_delivery | 2026-06-01 | 100% |
| domain | jkjcrqj[.]21pasoor.app | payload_delivery | 2026-06-01 | 100% |
| domain | p4nkss83.alsulmicpa.com | payload_delivery | 2026-06-01 | 100% |
| domain | vzfelbc[.]1shartbet1.com | payload_delivery | 2026-06-01 | 100% |
| domain | 1shartbet1.com | payload_delivery | 2026-06-01 | 100% |
| domain | alsulmicpa.com | payload_delivery | 2026-06-01 | 100% |
| domain | aehcwen[.]123betyek.com | payload_delivery | 2026-06-01 | 100% |
| domain | 123betyek.com | payload_delivery | 2026-06-01 | 100% |
| domain | seahohx.saas-systems.hu | payload_delivery | 2026-06-01 | 100% |
| domain | saas-systems.hu | payload_delivery | 2026-06-01 | 100% |
| domain | vxpkpgb.khaled-salah.com | payload_delivery | 2026-06-01 | 100% |
| domain | khaled-salah.com | payload_delivery | 2026-06-01 | 100% |
| domain | 99ytipqf.mayochem.com | payload_delivery | 2026-06-01 | 100% |
| domain | gqbociqf.mayochem.com | payload_delivery | 2026-06-01 | 100% |
| domain | mayochem.com | payload_delivery | 2026-06-01 | 100% |
| domain | dqtglfv.goldledgers.com | payload_delivery | 2026-06-01 | 100% |
| domain | uacfooi.goldledgers.com | payload_delivery | 2026-06-01 | 100% |
| domain | goldledgers.com | payload_delivery | 2026-06-01 | 100% |
| domain | kctwkqq.airtechmedical.com | payload_delivery | 2026-06-01 | 100% |
| domain | iehuipy.airtechmedical.com | payload_delivery | 2026-06-01 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["xzhuzft.asyabet303.bet", "adnplvk.123betyek.com", "mebzjfi.saas-systems.hu", "tmnwsuz.khaled-salah.com", "pzacsqp.ariash.art", "ariash.art", "jkjcrqj.21pasoor.app", "p4nkss83.alsulmicpa.com", "vzfelbc.1shartbet1.com", "1shartbet1.com", "alsulmicpa.com", "aehcwen.123betyek.com", "123betyek.com", "seahohx.saas-systems.hu", "saas-systems.hu", "vxpkpgb.khaled-salah.com", "khaled-salah.com", "99ytipqf.mayochem.com", "gqbociqf.mayochem.com", "mayochem.com", "dqtglfv.goldledgers.com", "uacfooi.goldledgers.com", "goldledgers.com", "kctwkqq.airtechmedical.com", "iehuipy.airtechmedical.com", "enstrhr.czhaijiangdrying.com", "gozilwl.overlokcu.com", "xehbafo.overlokcu.com", "ekqtbnv.overlokcu.com", "gnetier6.hegong-tools.com", "ud0rcyot.hegong-tools.com", "ndtbqmk.overlokcu.com", "bgogpid.xfgautoparts.com", "ciopkms.yutongdrying.com", "xelecqe.yutongdrying.com", "apgagls.bonuliautoparts.com", "skgzwxo.bonuliautoparts.com", "dufnsng.daqotransformers.com", "dldcrqq.daqotransformers.com", "mjvdhq4d.destek1.com", "y75dm820.destek1.com", "kdwuzpk.yutongdrying.com", "gfcwiur.yutongdrying.com", "nozeunl.xfgautoparts.com", "sarlxcj.xfgautoparts.com", "lvlywwa.overlokcu.com", "mgjfhpa.overlokcu.com", "overlokcu.com", "k5k1f5zd.cloudzone.tr", "cloudzone.tr"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update is initiated via Chocolatey, which packages the ClearFake IOC as part of a legitimate update process.
Filter/Exclusion: process.name:choco or process.args:*chocolatey*
Scenario: Scheduled Job for Log Management
Description: A scheduled job runs a log management tool (e.g., Splunk, ELK Stack) that uses a script containing a ClearFake IOC as part of its configuration.
Filter/Exclusion: process.name:logstash or process.name:filebeat or process.args:*splunk*
Scenario: Admin Task for Patch Management
Description: An administrator manually runs a patch management tool (e.g., Microsoft Update, WSUS) that includes a ClearFake IOC in its configuration file.
Filter/Exclusion: process.name:msiexec or process.name:windowsupdate or process.args:*wsus*
Scenario: Legitimate Third-Party Software Installation
Description: A third-party application (e.g., Adobe Acrobat, VMware Tools) is installed, and its installation package contains a ClearFake IOC due to a shared library or dependency.
Filter/Exclusion: process.name:msiexec or process.name:setup.exe or process.args:*adobe* or process.args:*vmware*
Scenario: Internal Tool for Data Backup
Description: An internal backup tool (e.g., Veeam, Commvault) uses a script or configuration file that includes a ClearFake IOC as part of its backup process.
Filter/Exclusion: process.name:veeam or process.name:commvault or process.args:*backup*