The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake threat group, leveraging known malicious indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be using ClearFake IOCs to exfiltrate data or establish command and control.
IOC Summary
Malware Family: ClearFake Total IOCs: 82 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ujpwid.dorottyanadorfi.com | payload_delivery | 2026-05-24 | 100% |
| domain | n4burrgj.runtime-cascade.digital | payload_delivery | 2026-05-24 | 100% |
| domain | 3mf0hr0j.runtime-cascade.digital | payload_delivery | 2026-05-24 | 100% |
| domain | swklua.dorihurosartwork.com | payload_delivery | 2026-05-24 | 100% |
| domain | nstkuj.dimoppalyazat.com | payload_delivery | 2026-05-24 | 100% |
| domain | gzvwla.dimamma.hu | payload_delivery | 2026-05-24 | 100% |
| domain | ygitqw.digital360.hu | payload_delivery | 2026-05-24 | 100% |
| domain | gfirzz.dravencoffee.hu | payload_delivery | 2026-05-24 | 100% |
| domain | rqknxy.dorottyanadorfi.com | payload_delivery | 2026-05-24 | 100% |
| domain | zrxotn.dorihurosartwork.com | payload_delivery | 2026-05-24 | 100% |
| domain | dirdurr.eu | payload_delivery | 2026-05-24 | 100% |
| domain | niupmo.dimoppalyazat.com | payload_delivery | 2026-05-24 | 100% |
| domain | gkmulq.dimamma.hu | payload_delivery | 2026-05-24 | 100% |
| domain | twgdna.digital360.hu | payload_delivery | 2026-05-24 | 100% |
| domain | lrnjen.dharmaralstudio.com | payload_delivery | 2026-05-24 | 100% |
| domain | dharmaraladventure.hu | payload_delivery | 2026-05-24 | 100% |
| domain | uowhim.dharmaraladventure.com | payload_delivery | 2026-05-24 | 100% |
| domain | hbpvpp.deye.hu | payload_delivery | 2026-05-24 | 100% |
| domain | hymllz.deplast.hu | payload_delivery | 2026-05-24 | 100% |
| domain | skfbao.del-nyugat.hu | payload_delivery | 2026-05-24 | 100% |
| domain | fzxuju.dachservice.hu | payload_delivery | 2026-05-24 | 100% |
| domain | oadckt.cserypadlo.hu | payload_delivery | 2026-05-24 | 100% |
| domain | gulwui.cinemarcell.hu | payload_delivery | 2026-05-24 | 100% |
| domain | viqhag.ceremoniavezeto.hu | payload_delivery | 2026-05-24 | 100% |
| domain | zpozph.brssolar.hu | payload_delivery | 2026-05-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["ujpwid.dorottyanadorfi.com", "n4burrgj.runtime-cascade.digital", "3mf0hr0j.runtime-cascade.digital", "swklua.dorihurosartwork.com", "nstkuj.dimoppalyazat.com", "gzvwla.dimamma.hu", "ygitqw.digital360.hu", "gfirzz.dravencoffee.hu", "rqknxy.dorottyanadorfi.com", "zrxotn.dorihurosartwork.com", "dirdurr.eu", "niupmo.dimoppalyazat.com", "gkmulq.dimamma.hu", "twgdna.digital360.hu", "lrnjen.dharmaralstudio.com", "dharmaraladventure.hu", "uowhim.dharmaraladventure.com", "hbpvpp.deye.hu", "hymllz.deplast.hu", "skfbao.del-nyugat.hu", "fzxuju.dachservice.hu", "oadckt.cserypadlo.hu", "gulwui.cinemarcell.hu", "viqhag.ceremoniavezeto.hu", "zpozph.brssolar.hu", "ieawzs.brandbuilder.hu", "brandbuilder.hu", "fettcy.boutiqbar.com", "fwmijy.bonuszugynokseg.hu", "djnhkv.bohochal.hu", "bohochal.hu", "mtlhms.bognartransport.hu", "eisnuo.bognarautomoso.hu", "dkqaxl.bninolimit.com", "yyaohk.bni-ai.com", "bni-ai.com", "doishd.bmz.hu", "bmz.hu", "y4gf3n18.network-foundry.digital", "sx932d8l.network-foundry.digital", "qxoopq.bmiroda.hu", "bkbtgg.accredit.hu", "ykpwsn.accredit.hu", "aenysk.aborszerintem.hu", "avhepv.aapartman.hu", "gmokdazc.aapartman.hu", "kpghbfvn.8route.hu", "mdzgddyj.7naposokosotthonkihivas.hu", "2emelet.hu", "28.hu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Description: A system update or patching process may include tools or scripts that match ClearFake IOCs, such as clearfake-updater.sh or clearfake-apply-patch.exe.
Filter/Exclusion: process.name != "clearfake-updater.sh" AND process.name != "clearfake-apply-patch.exe"
Scenario: Scheduled job for log cleanup using ClearFake scripts
Description: A scheduled task may use a script named clearfake_cleanup.bat or clearfake_logrotate.sh to clean up temporary files or logs.
Filter/Exclusion: process.name != "clearfake_cleanup.bat" AND process.name != "clearfake_logrotate.sh"
Scenario: Admin task using ClearFake for internal testing
Description: An administrator may use ClearFake for internal testing or simulation, such as running clearfake-test.exe or clearfake-simulate.sh.
Filter/Exclusion: process.name != "clearfake-test.exe" AND process.name != "clearfake-simulate.sh"
Scenario: Legitimate use of ClearFake in a sandboxed environment
Description: A security team may run ClearFake in a sandbox or isolated environment for analysis, such as clearfake_sandbox_runner.py.
Filter/Exclusion: process.name != "clearfake_sandbox_runner.py" AND process.name != "clearfake_analyze.sh"
Scenario: ClearFake used for legitimate network discovery in a red team exercise
Description: During a red team exercise, ClearFake may be used to map internal networks, such as via clearfake_netdiscover.exe or clearfake_map.sh.
Filter/Exclusion: `process.name != “clearfake_netdiscover.exe” AND process.name