The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with high-severity threats and known for exfiltrating data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: ClearFake Total IOCs: 19 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | zarinfile.com | payload_delivery | 2026-06-24 | 100% |
| url | hxxps://cdn.jsdelivr.net/gh/galinavsuk6/sdg7-j9/r-fd7 | payload_delivery | 2026-06-24 | 100% |
| domain | k9qxyqt8.jetbt8.online | payload_delivery | 2026-06-24 | 100% |
| domain | jetbt8.online | payload_delivery | 2026-06-24 | 100% |
| domain | jetbt7.online | payload_delivery | 2026-06-24 | 100% |
| domain | m2p5bg3q.ahkam.xyz | payload_delivery | 2026-06-24 | 100% |
| domain | three.followfromapps.icu | payload_delivery | 2026-06-24 | 50% |
| domain | reef-swan-lagoon.pages.dev | payload_delivery | 2026-06-24 | 50% |
| domain | kyard07v.vip1xbet.net | payload_delivery | 2026-06-24 | 100% |
| domain | arop4gtf.jetbt6.online | payload_delivery | 2026-06-24 | 100% |
| domain | jetbt6.online | payload_delivery | 2026-06-24 | 100% |
| domain | jetbet1.live | payload_delivery | 2026-06-24 | 100% |
| domain | p0d2virz.blackjacktipsnnt.com | payload_delivery | 2026-06-24 | 100% |
| domain | blackjacktipsnnt.com | payload_delivery | 2026-06-24 | 100% |
| domain | blackjack-x.com | payload_delivery | 2026-06-23 | 100% |
| domain | 69xb4m1d.betmajic.cc | payload_delivery | 2026-06-23 | 100% |
| domain | 8ra83hil.blackjackonlineplay83.com | payload_delivery | 2026-06-23 | 100% |
| url | hxxps://cdn.jsdelivr.net/gh/louis-mellor/2d-aee4-1433332c1@main/f5 | payload_delivery | 2026-06-23 | 100% |
| domain | s7w5r3s2.onebet1x.com | payload_delivery | 2026-06-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["zarinfile.com", "k9qxyqt8.jetbt8.online", "jetbt8.online", "jetbt7.online", "m2p5bg3q.ahkam.xyz", "three.followfromapps.icu", "reef-swan-lagoon.pages.dev", "kyard07v.vip1xbet.net", "arop4gtf.jetbt6.online", "jetbt6.online", "jetbet1.live", "p0d2virz.blackjacktipsnnt.com", "blackjacktipsnnt.com", "blackjack-x.com", "69xb4m1d.betmajic.cc", "8ra83hil.blackjackonlineplay83.com", "s7w5r3s2.onebet1x.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - ClearFake
let malicious_urls = dynamic(["https://cdn.jsdelivr.net/gh/galinavsuk6/sdg7-j9/r-fd7", "https://cdn.jsdelivr.net/gh/louis-mellor/2d-aee4-1433332c1@main/f5"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Description: A system update or patching process may include tools or scripts that match ClearFake IOCs, such as clearfake-updater.sh or clearfake-registry-check.exe.
Filter/Exclusion: Check for process.name containing update, patch, or installer, and exclude processes with process.parent.name matching known update services (e.g., Windows Update, WSUS).
Scenario: Scheduled job for malware analysis using ClearFake artifacts
Description: A security team may run scheduled jobs to analyze malware samples, which could include ClearFake-related files or network connections.
Filter/Exclusion: Filter by process.name like malwareanalysis.exe, sandbox.exe, or analysis_tool.exe, and include user.name matching internal security teams (e.g., security-team, threat-hunting).
Scenario: Admin task involving ClearFake-related network connections
Description: An administrator might configure or test network connections that match ClearFake IOCs, such as connecting to a test environment or a known benign IP range.
Filter/Exclusion: Exclude connections where destination.ip is in a known internal or test network range (e.g., 10.0.0.0/8, 192.168.0.0/16), or where process.name is netsh, route, or ipconfig.
Scenario: Legitimate use of ClearFake-related scripts in a development environment
Description: Developers may use scripts or tools that match ClearFake IOCs for testing or debugging purposes, such as clearfake-test-runner.py or clearfake-debugger.exe.
Filter/Exclusion: Filter by process.name containing `