The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with credential theft and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats leveraging known malicious IOCs.
IOC Summary
Malware Family: ClearFake Total IOCs: 35 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ihtfqktk.holiday-matrix.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | mckglhnz.holiday-matrix.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | debugshy-fansync.cyou | payload_delivery | 2026-05-23 | 100% |
| domain | ilhvyrij.ipv4has-lampnew.cyou | payload_delivery | 2026-05-23 | 100% |
| domain | ipv4has-lampnew.cyou | payload_delivery | 2026-05-23 | 100% |
| domain | mkszunli.flopstin-gymcargo.cyou | payload_delivery | 2026-05-23 | 100% |
| domain | flopstin-gymcargo.cyou | payload_delivery | 2026-05-23 | 100% |
| domain | mfbrkbuv.betnoise-unionour.cyou | payload_delivery | 2026-05-23 | 100% |
| domain | betnoise-unionour.cyou | payload_delivery | 2026-05-23 | 100% |
| domain | hoycbijv.holiday-matrix.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | ymeivxaj.holiday-matrix.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | holiday-matrix.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | auhlsdki.frost-engine.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | mvltyody.frost-engine.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | ftjilgqw.winter-pulse.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | acxmquqg.winter-pulse.christmas | payload_delivery | 2026-05-23 | 100% |
| domain | mfwhezll.gift-lattice.christmas | payload_delivery | 2026-05-22 | 100% |
| domain | mstdvyct.gift-lattice.christmas | payload_delivery | 2026-05-22 | 100% |
| domain | winter-pulse.christmas | payload_delivery | 2026-05-22 | 100% |
| domain | gift-lattice.christmas | payload_delivery | 2026-05-22 | 100% |
| domain | snow-harbor.christmas | payload_delivery | 2026-05-22 | 100% |
| domain | xenomorphhiveintel.christmas | payload_delivery | 2026-05-22 | 100% |
| domain | sopranos-familytree.christmas | payload_delivery | 2026-05-22 | 100% |
| domain | holisticdetective.christmas | payload_delivery | 2026-05-22 | 100% |
| domain | phase-shiftbridge.christmas | payload_delivery | 2026-05-22 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["ihtfqktk.holiday-matrix.christmas", "mckglhnz.holiday-matrix.christmas", "debugshy-fansync.cyou", "ilhvyrij.ipv4has-lampnew.cyou", "ipv4has-lampnew.cyou", "mkszunli.flopstin-gymcargo.cyou", "flopstin-gymcargo.cyou", "mfbrkbuv.betnoise-unionour.cyou", "betnoise-unionour.cyou", "hoycbijv.holiday-matrix.christmas", "ymeivxaj.holiday-matrix.christmas", "holiday-matrix.christmas", "auhlsdki.frost-engine.christmas", "mvltyody.frost-engine.christmas", "ftjilgqw.winter-pulse.christmas", "acxmquqg.winter-pulse.christmas", "mfwhezll.gift-lattice.christmas", "mstdvyct.gift-lattice.christmas", "winter-pulse.christmas", "gift-lattice.christmas", "snow-harbor.christmas", "xenomorphhiveintel.christmas", "sopranos-familytree.christmas", "holisticdetective.christmas", "phase-shiftbridge.christmas", "nodefabric.christmas", "virtual-packet-grid.christmas", "cache-orbit.christmas", "labdjang.asia", "reposboy.asia", "spamgym.asia", "formkey.asia", "chickencutlet-hacks.christmas", "chroniclearchivekeeper.christmas", "logicbufferskills.christmas"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate software update that coincidentally matches one of the ClearFake IOCs.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a log rotation script that uses a tool like logrotate or rsyslog which may have a file path or command that matches a ClearFake IOC.
Filter/Exclusion: process.name != "logrotate" or process.name != "rsyslogd"
Scenario: Admin Task for Patch Management
Description: An admin uses a tool like Windows Update or WSUS to deploy patches, and the update process includes a file or command that matches a ClearFake IOC.
Filter/Exclusion: process.name != "wuauclt.exe" or process.name != "wsusutil.exe"
Scenario: Use of PowerShell for Configuration Management
Description: A PowerShell script used for configuration management (e.g., PSConfig or Pester) contains a command or file path that matches a ClearFake IOC.
Filter/Exclusion: process.name != "powershell.exe" or script.name != "PSConfig.ps1"
Scenario: Legitimate File Integrity Monitoring Tool
Description: A tool like Tripwire or OSSEC is used for file integrity monitoring and includes a file or command that matches a ClearFake IOC.
Filter/Exclusion: process.name != "tripwire", process.name != "ossec", or process.parent.name != "tripwire"