The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised software. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate threats early, as ClearFake is linked to high-impact attacks and persistent threats.
IOC Summary
Malware Family: ClearFake Total IOCs: 53 IOC Types: domain, sha256_hash, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | zlbcjre.wrfc8.com | payload_delivery | 2026-06-09 | 100% |
| domain | gfmuomz.pinbahiis.com | payload_delivery | 2026-06-09 | 100% |
| domain | jbwjdp.rial.bet | payload_delivery | 2026-06-09 | 100% |
| domain | salppir.red90.casino | payload_delivery | 2026-06-09 | 100% |
| domain | whyldsf.rc395.com | payload_delivery | 2026-06-09 | 100% |
| domain | rc395.com | payload_delivery | 2026-06-09 | 100% |
| domain | e3giv37r.pokerpars.poker | payload_delivery | 2026-06-09 | 100% |
| domain | pokerpars.poker | payload_delivery | 2026-06-09 | 100% |
| domain | xwwitjs.rayonbet.com | payload_delivery | 2026-06-09 | 100% |
| domain | rayonbet.com | payload_delivery | 2026-06-09 | 100% |
| domain | demfmb.restaurantguideaarhus.com | payload_delivery | 2026-06-09 | 100% |
| domain | gwjjko.onlineshart.com | payload_delivery | 2026-06-09 | 100% |
| domain | gyayod.pishbinisite.com | payload_delivery | 2026-06-09 | 100% |
| domain | gdenwcw.rabonaabet.com | payload_delivery | 2026-06-09 | 100% |
| domain | pishbinipartners.com | payload_delivery | 2026-06-09 | 100% |
| domain | rabonaabet.com | payload_delivery | 2026-06-09 | 100% |
| domain | promo.tennis | payload_delivery | 2026-06-09 | 100% |
| domain | cafdfe.pishbinihoshmand.com | payload_delivery | 2026-06-09 | 100% |
| domain | pishbinihoshmand.com | payload_delivery | 2026-06-09 | 100% |
| domain | dgxbf5rv.onexfa.com | payload_delivery | 2026-06-09 | 100% |
| domain | lplhoo.pishbinigame.com | payload_delivery | 2026-06-09 | 100% |
| domain | pishbinigame.com | payload_delivery | 2026-06-09 | 100% |
| domain | mbigpi.pishbinifoori.com | payload_delivery | 2026-06-09 | 100% |
| domain | pishbinifoori.com | payload_delivery | 2026-06-09 | 100% |
| domain | jgjuwx.pishbiniclass.com | payload_delivery | 2026-06-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["zlbcjre.wrfc8.com", "gfmuomz.pinbahiis.com", "jbwjdp.rial.bet", "salppir.red90.casino", "whyldsf.rc395.com", "rc395.com", "e3giv37r.pokerpars.poker", "pokerpars.poker", "xwwitjs.rayonbet.com", "rayonbet.com", "demfmb.restaurantguideaarhus.com", "gwjjko.onlineshart.com", "gyayod.pishbinisite.com", "gdenwcw.rabonaabet.com", "pishbinipartners.com", "rabonaabet.com", "promo.tennis", "cafdfe.pishbinihoshmand.com", "pishbinihoshmand.com", "dgxbf5rv.onexfa.com", "lplhoo.pishbinigame.com", "pishbinigame.com", "mbigpi.pishbinifoori.com", "pishbinifoori.com", "jgjuwx.pishbiniclass.com", "pishbiniclass.com", "rcyrnur.pokerprado.bet", "pokerprado.bet", "r2qz0qa2.poker-online.bet", "9r6xw7w2.poker-online.bet", "rmipclt.penality.bet", "emyynld.pasur21.com", "nkfjdum.pasoor11.bet", "hxmhpw.pishbinibet.casino", "sfdwdmq.mangobetfarsi.com", "ojnkoxdg.pokerbazi.poker", "pokerbazi.poker", "hnainyw.ninjafruitcubes.bet", "flzocge.penality.bet", "kodhfeq.one1xbet.net", "wsiflnb.persian.sex", "mnnwpo.jamjahani2026.football", "jjcuameq.parspoker90.com", "rgcecjho.parspoker90.com", "scsadmm.penaltibazi.com", "aoeseeuk.winpars.casino", "winpars.casino", "gialird.pishbini11.com", "pishbini11.com", "byiuatd.pinnaclebetting.bet"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - ClearFake
let malicious_urls = dynamic(["https://flzocge.penality.bet/083442ba-5bf1-4cc5-8440-04740f3ca9be/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - ClearFake
let malicious_hashes = dynamic(["19678a2d474affb5164942a842488275dafc988bab2e5918e38422f152ecc66b"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-signed binaries
Filter/Exclusion: process.name != "cleartool" or process.name != "ClearFake.exe"
Scenario: Scheduled job running ClearFake for code analysis
Filter/Exclusion: process.command_line contains "scheduled_task_id=XYZ123" or process.parent_process == "schtasks.exe"
Scenario: Admin using ClearFake for secure code signing
Filter/Exclusion: process.user == "Administrator" and process.command_line contains "signcode"
Note: This should be combined with a whitelist of known trusted code signing tools.
Scenario: ClearFake used in a DevOps pipeline for artifact verification
Filter/Exclusion: process.command_line contains "jenkins" or "gitlab-ci" or process.parent_process == "jenkins.exe"
Scenario: ClearFake used for internal vulnerability scanning
Filter/Exclusion: process.command_line contains "vulnerability_scan" or "internal_scan" or process.user == "security_team"