ThreatFox: ClearFake IOCs

Hunt Hypothesis

Adversaries using ClearFake may leverage the 78 associated IOCs to exfiltrate data or establish command and control, indicating potential malicious network activity. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage threats from advanced persistent threats.

IOC Summary

Malware Family: ClearFake Total IOCs: 78 IOC Types: domain

Type	Value	Threat Type	First Seen	Confidence
domain	`tooca.sm188daftar.skin`	payload_delivery	2026-05-29	100%
domain	`qbtnd.sm188dvlv.cfd`	payload_delivery	2026-05-29	100%
domain	`xyxpi.sm188dvlv.cfd`	payload_delivery	2026-05-29	100%
domain	`nblvwres.stgsolar.hu`	payload_delivery	2026-05-29	100%
domain	`qw0g1zl6.stgsolar.hu`	payload_delivery	2026-05-29	100%
domain	`pixey.lampaoszlopbolt.hu`	payload_delivery	2026-05-29	100%
domain	`ftmcr.lampaoszlopbolt.hu`	payload_delivery	2026-05-29	100%
domain	`gkdtl.lampaoszlopbolt.hu`	payload_delivery	2026-05-29	100%
domain	`bhknh.laborfotostudio.hu`	payload_delivery	2026-05-29	100%
domain	`syoqp.ksfogszabalyozas.hu`	payload_delivery	2026-05-29	100%
domain	`alklh.popi999.net`	payload_delivery	2026-05-29	100%
domain	`dvzzer4n.parossag.hu`	payload_delivery	2026-05-29	100%
domain	`0xu6ov6b.parossag.hu`	payload_delivery	2026-05-29	100%
domain	`oakvvbov.parossag.hu`	payload_delivery	2026-05-29	100%
domain	`fjtdm.sm188wing.cyou`	payload_delivery	2026-05-29	100%
domain	`dxsxl.sm188wing.cyou`	payload_delivery	2026-05-29	100%
domain	`gzhcn.sm188login.sbs`	payload_delivery	2026-05-29	100%
domain	`zqyij.sm188login.rest`	payload_delivery	2026-05-29	100%
domain	`nzaqn.sm188login.cyou`	payload_delivery	2026-05-29	100%
domain	`jcyca.sm188login.cyou`	payload_delivery	2026-05-29	100%
domain	`mzpyn.sm188login.cfd`	payload_delivery	2026-05-29	100%
domain	`kqwkm.sm188login.cfd`	payload_delivery	2026-05-29	100%
domain	`xqorxfh1.seresniki.com`	payload_delivery	2026-05-29	100%
domain	`w0r1t50n.seresniki.com`	payload_delivery	2026-05-29	100%
domain	`uzysz.sm188dvlv.skin`	payload_delivery	2026-05-29	100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["tooca.sm188daftar.skin", "qbtnd.sm188dvlv.cfd", "xyxpi.sm188dvlv.cfd", "nblvwres.stgsolar.hu", "qw0g1zl6.stgsolar.hu", "pixey.lampaoszlopbolt.hu", "ftmcr.lampaoszlopbolt.hu", "gkdtl.lampaoszlopbolt.hu", "bhknh.laborfotostudio.hu", "syoqp.ksfogszabalyozas.hu", "alklh.popi999.net", "dvzzer4n.parossag.hu", "0xu6ov6b.parossag.hu", "oakvvbov.parossag.hu", "fjtdm.sm188wing.cyou", "dxsxl.sm188wing.cyou", "gzhcn.sm188login.sbs", "zqyij.sm188login.rest", "nzaqn.sm188login.cyou", "jcyca.sm188login.cyou", "mzpyn.sm188login.cfd", "kqwkm.sm188login.cfd", "xqorxfh1.seresniki.com", "w0r1t50n.seresniki.com", "uzysz.sm188dvlv.skin", "slrsd.sm188dvlv.rest", "sm188dvlv.rest", "skgya.sm188dvlv.hair", "sm188dvlv.hair", "zntck.sm188dvlv.cfd", "aonsz.sm188dvlv.cfd", "nwtca6gs.schleer.hu", "wh1523s7.schleer.hu", "gvshj.sm188daftar.skin", "sm188daftar.skin", "txfbc.sm188daftar.net", "dxblt.sm188daftar.net", "sm188daftar.net", "vkdif.sm188daftar.cfd", "jiwkc.sm188daftar.cfd", "sm188daftar.cfd", "chhul.sm188akurat.sbs", "jrszz.popi999.net", "ovbbx.popi999.net", "2c5gt5bd.seresniki.com", "40ztk2rl.seresniki.com", "eibnb.slotmacau188z.bond", "yznfo.slotmacau188q.hair", "slotmacau188q.hair", "hunzm.slotmacau188k.sbs"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`DnsEvents`	Ensure this data connector is enabled

References

ThreatFox — ClearFake

False Positive Guidance

Scenario: Legitimate System Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate software update that coincidentally matches one of the ClearFake IOCs.
Filter/Exclusion: Exclude all package installations via Chocolatey (ProcessName = "choco") or filter by ProcessCommandLine containing "choco install".
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a log rotation script that uses a tool like logrotate or rsyslog which may have a file path or command that matches a ClearFake IOC.
Filter/Exclusion: Exclude processes associated with log rotation tools (e.g., logrotate, rsyslog, syslog-ng) or filter by ProcessCommandLine containing log rotation keywords.
Scenario: Admin Task Using PowerShell for Configuration Management
Description: An administrator uses PowerShell to configure system settings, and the script or command line includes a file path or command that matches a ClearFake IOC.
Filter/Exclusion: Exclude PowerShell processes initiated by administrators (User = "Administrator") or filter by ProcessCommandLine containing known admin scripts or configuration commands.
Scenario: Legitimate Software Deployment via SCCM
Description: A software deployment via Microsoft System Center Configuration Manager (SCCM) includes a file or command that matches a ClearFake IOC.
Filter/Exclusion: Exclude processes related to SCCM (ProcessName = "ccmexec", ProcessName = "smsexec") or filter by ProcessCommandLine containing SCCM deployment keywords.
Scenario: Security Tool for Threat Hunting
Description: A security analyst uses a threat hunting tool like CrowdStrike Falcon or Microsoft Defender ATP, which may have a file or command that matches a ClearFake IOC during a legitimate investigation.
*