The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised software. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises linked to this high-severity threat actor.
IOC Summary
Malware Family: ClearFake Total IOCs: 38 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | lfwboc.jamejahani.win | payload_delivery | 2026-06-06 | 100% |
| domain | bdyqsrv.kbshavanese.com | payload_delivery | 2026-06-06 | 100% |
| domain | !k!.kbshavanese.com | payload_delivery | 2026-06-06 | 100% |
| domain | jjotnoj.jojobetuyelik.info | payload_delivery | 2026-06-06 | 100% |
| domain | !k!.jojobetuyelik.info | payload_delivery | 2026-06-06 | 100% |
| domain | jojobetuyelik.info | payload_delivery | 2026-06-06 | 100% |
| domain | zvxeaqm.jogodobicho.games | payload_delivery | 2026-06-06 | 100% |
| domain | 6ju7fjjz.bordoo.bet | payload_delivery | 2026-06-06 | 100% |
| domain | jdjgvaia.bordoo.bet | payload_delivery | 2026-06-06 | 100% |
| domain | i8lvkq19.bordino.bet | payload_delivery | 2026-06-06 | 100% |
| domain | 4lm4v3bu.bet404.games | payload_delivery | 2026-06-06 | 100% |
| domain | jrpzgr.jamejahani.bet | payload_delivery | 2026-06-06 | 100% |
| domain | vvxcqgv.jamjahani.world | payload_delivery | 2026-06-06 | 100% |
| domain | ubzfosw.jamjahani.win | payload_delivery | 2026-06-06 | 100% |
| domain | jamjahani.win | payload_delivery | 2026-06-06 | 100% |
| domain | ofwbhuk.jamjahani.website | payload_delivery | 2026-06-06 | 100% |
| domain | !k!.jamjahani.website | payload_delivery | 2026-06-06 | 100% |
| domain | zxuq0oha.bord90.bet | payload_delivery | 2026-06-06 | 100% |
| domain | 6jcq2nrd.bord90.bet | payload_delivery | 2026-06-06 | 100% |
| domain | khndao.x50wheel.bet | payload_delivery | 2026-06-06 | 100% |
| domain | piciidq.jamjahani.vip | payload_delivery | 2026-06-06 | 100% |
| domain | mipcepl.jamjahani.site | payload_delivery | 2026-06-06 | 100% |
| domain | !k!.jamjahani.site | payload_delivery | 2026-06-06 | 100% |
| domain | gvrrgvn.jamjahani.promo | payload_delivery | 2026-06-06 | 100% |
| domain | jamjahani.promo | payload_delivery | 2026-06-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["lfwboc.jamejahani.win", "bdyqsrv.kbshavanese.com", "!k!.kbshavanese.com", "jjotnoj.jojobetuyelik.info", "!k!.jojobetuyelik.info", "jojobetuyelik.info", "zvxeaqm.jogodobicho.games", "6ju7fjjz.bordoo.bet", "jdjgvaia.bordoo.bet", "i8lvkq19.bordino.bet", "4lm4v3bu.bet404.games", "jrpzgr.jamejahani.bet", "vvxcqgv.jamjahani.world", "ubzfosw.jamjahani.win", "jamjahani.win", "ofwbhuk.jamjahani.website", "!k!.jamjahani.website", "zxuq0oha.bord90.bet", "6jcq2nrd.bord90.bet", "khndao.x50wheel.bet", "piciidq.jamjahani.vip", "mipcepl.jamjahani.site", "!k!.jamjahani.site", "gvrrgvn.jamjahani.promo", "jamjahani.promo", "kaxofkea.bizbetslot.net", "33aesmo5.bizbetslot.net", "zwbnyop.jamjahani.org", "eizgbh.xenicalby6.com", "rmjjmzw.jamjahani.online", "!k!.jamjahani.online", "zbc7yta5.taktiik.bet", "mltwwtn.jamjahani.one", "jamjahani.one", "e6ce6uwg.bingobet90.com", "q1wm6mf5.bingobet90.com", "kyxuncq.jamjahani.net", "!k!.jamjahani.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled job to clean up temporary files using the clear command in a Unix-based environment.
Filter/Exclusion: Exclude processes where the command line contains clear and the process is initiated by a known system maintenance user (e.g., root, sysadmin, or admin).
Scenario: Security Tool Scanning for Malware
Description: A security tool like CrowdStrike Falcon or Microsoft Defender is performing a full system scan and temporarily uses the clear command to reset the terminal screen during the scan.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., falcon-sensor, microsoft-defender-av).
Scenario: Scheduled Job for Log Rotation
Description: A scheduled job using logrotate is running on a Linux server and temporarily clears log files to prepare for rotation.
Filter/Exclusion: Exclude processes where the command line includes logrotate and the file being cleared is a known log file (e.g., /var/log/syslog, /var/log/auth.log).
Scenario: User-Initiated Terminal Session Cleanup
Description: A user manually runs the clear command in their terminal session to clean up the screen after working on a task.
Filter/Exclusion: Exclude processes where the command line is exactly clear and the user is a regular user (not root), and the process is short-lived (e.g., duration < 1 second).
Scenario: Admin Task for Disk Space Management
Description: An admin is using a script or tool like rm -rf /tmp/* to clear temporary files, which may include the clear command in the