The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake threat group, leveraging known malicious indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: ClearFake Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | megaparibet.win | payload_delivery | 2026-06-22 | 100% |
| domain | ujlo7o5o.readthisintro.xyz | payload_delivery | 2026-06-22 | 100% |
| domain | megapariwin.casino | payload_delivery | 2026-06-22 | 100% |
| domain | fjaoi5is.megaparibet.vip | payload_delivery | 2026-06-22 | 100% |
| domain | megaparibet.vip | payload_delivery | 2026-06-22 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["megaparibet.win", "ujlo7o5o.readthisintro.xyz", "megapariwin.casino", "fjaoi5is.megaparibet.vip", "megaparibet.vip"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator runs a scheduled job to clean up temporary files using a tool like del or rm in a script.
Filter/Exclusion: Exclude processes initiated by the SYSTEM account or those matching the pattern Cleanup* in the command line.
Scenario: Scheduled Backup Job
Description: A backup tool like Veeam or Commvault performs a scheduled backup that temporarily creates files matching known IOCs.
Filter/Exclusion: Exclude processes with the parent process being the backup service or those running under the backup user account.
Scenario: Software Update Process
Description: A legitimate software update process, such as Windows Update or a third-party patching tool, downloads files that match the IOCs.
Filter/Exclusion: Exclude processes associated with wuauclt.exe, msiexec.exe, or any known update management tools.
Scenario: Admin Debugging Session
Description: A security administrator uses a tool like Procmon or Process Explorer to debug a process, which may temporarily trigger IOCs.
Filter/Exclusion: Exclude processes with a command line containing Procmon or Process Explorer, or initiated by the Administrators group.
Scenario: Log File Rotation
Description: A log rotation tool like logrotate or a custom script rotates and compresses log files, which may temporarily match the IOCs.
Filter/Exclusion: Exclude processes with command lines containing logrotate, gzip, or tar, or those running under a log management service account.