The ThreatFox: ClearFake IOCs rule detects potential reconnaissance or initial access activities associated with the ClearFake threat group, leveraging known malicious indicators to identify compromised environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to mitigate the risk of advanced persistent threats and prevent lateral movement within their network.
IOC Summary
Malware Family: ClearFake Total IOCs: 23 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://cdn.jsdelivr.net/gh/savina-41/mcv4f-jp5/launching | payload_delivery | 2026-06-20 | 100% |
| domain | 87khq5gx.ravabetensani.site | payload_delivery | 2026-06-20 | 100% |
| domain | yek1.bet | payload_delivery | 2026-06-20 | 100% |
| domain | 7cj04th6.shartland.com | payload_delivery | 2026-06-20 | 100% |
| domain | v8xihekm.ramzfile.com | payload_delivery | 2026-06-20 | 100% |
| domain | 13i466gp.shart303.com | payload_delivery | 2026-06-20 | 100% |
| domain | shart303.com | payload_delivery | 2026-06-20 | 100% |
| domain | lc5lya7l.romabetkade.com | payload_delivery | 2026-06-20 | 100% |
| domain | g6gib60b.raftarsazmani.xyz | payload_delivery | 2026-06-20 | 100% |
| domain | 0odlgi4q.motuntakhasosi.store | payload_delivery | 2026-06-20 | 100% |
| domain | e57ra5jx.plinkobet.casino | payload_delivery | 2026-06-20 | 100% |
| domain | byz28tfk.rasmfani.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | i83pv2vx.ravabetensani.site | payload_delivery | 2026-06-19 | 100% |
| domain | sjn9cbzs.betvarzeshkade.online | payload_delivery | 2026-06-19 | 100% |
| domain | tarbiyateslami.xyz | payload_delivery | 2026-06-19 | 100% |
| url | hxxps://cdn.jsdelivr.net/gh/arinao7/86227780-d251hllg | payload_delivery | 2026-06-19 | 100% |
| domain | owxoxg4v.jetbetkade.com | payload_delivery | 2026-06-19 | 100% |
| domain | s18b1z48.tarahisystem.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | tarahisystem.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | 0q26dscq.anodaz.vip | payload_delivery | 2026-06-19 | 100% |
| domain | 2rvmsbh4.bet303.download | payload_delivery | 2026-06-19 | 100% |
| domain | fvkyh2up.testpaye.xyz | payload_delivery | 2026-06-19 | 100% |
| domain | aygi86ej.tahlilsazeha.xyz | payload_delivery | 2026-06-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["87khq5gx.ravabetensani.site", "yek1.bet", "7cj04th6.shartland.com", "v8xihekm.ramzfile.com", "13i466gp.shart303.com", "shart303.com", "lc5lya7l.romabetkade.com", "g6gib60b.raftarsazmani.xyz", "0odlgi4q.motuntakhasosi.store", "e57ra5jx.plinkobet.casino", "byz28tfk.rasmfani.xyz", "i83pv2vx.ravabetensani.site", "sjn9cbzs.betvarzeshkade.online", "tarbiyateslami.xyz", "owxoxg4v.jetbetkade.com", "s18b1z48.tarahisystem.xyz", "tarahisystem.xyz", "0q26dscq.anodaz.vip", "2rvmsbh4.bet303.download", "fvkyh2up.testpaye.xyz", "aygi86ej.tahlilsazeha.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - ClearFake
let malicious_urls = dynamic(["https://cdn.jsdelivr.net/gh/savina-41/mcv4f-jp5/launching", "https://cdn.jsdelivr.net/gh/arinao7/86227780-d251hllg"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the ClearFake IOCs, such as a script named clearfake_cleanup.ps1 used for system cleanup.
Filter/Exclusion: Exclude files with a specific filename pattern (e.g., clearfake_cleanup*) or check the file’s hash against a known good whitelist.
Scenario: Admin Tool Execution
Description: An administrator uses a tool like PowerShell or Task Scheduler to run a script that temporarily matches a ClearFake IOC, such as a file named clearfake_temp.exe used for a one-time diagnostic task.
Filter/Exclusion: Exclude files with a specific path (e.g., C:\Windows\Temp\clearfake_temp.exe) or check the file’s origin against a trusted admin tool whitelist.
Scenario: Third-Party Software Update
Description: A third-party software update, such as from Microsoft System Center, includes a file that matches a ClearFake IOC during an update process.
Filter/Exclusion: Exclude files that are signed by a trusted vendor (e.g., Microsoft) or match known update file patterns (e.g., update*.exe).
Scenario: Log File Analysis
Description: A security tool like Splunk or ELK Stack generates log files that contain strings matching ClearFake IOCs, such as IP addresses or domain names used in log messages.
Filter/Exclusion: Exclude log files by file path (e.g., C:\ProgramData\Splunk\logs\*) or filter out known log-related strings using a regex pattern.
Scenario: Network Monitoring Tool Traffic
Description: A network monitoring tool like Wireshark or tcpdump captures traffic that includes ClearFake-related IP