The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, leveraging known malicious indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that may be evading traditional detection methods.
IOC Summary
Malware Family: ClearFake Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | 00pq7d1j[.]1xboropartners.com | payload_delivery | 2026-06-26 | 100% |
| domain | rfhudhbz[.]313betsingup.casino | payload_delivery | 2026-06-26 | 100% |
| domain | drf.honareslami.xyz | payload_delivery | 2026-06-26 | 100% |
| domain | xb.bet1bonus.com | payload_delivery | 2026-06-26 | 100% |
| domain | 313betiran.online | payload_delivery | 2026-06-26 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["00pq7d1j.1xboropartners.com", "rfhudhbz.313betsingup.casino", "drf.honareslami.xyz", "xb.bet1bonus.com", "313betiran.online"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update service includes a file that matches one of the ClearFake IOCs due to a naming similarity.
Filter/Exclusion: Exclude files signed by Microsoft or with a publisher name containing “Microsoft” using the file.signer or file.publisher field.
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task (e.g., logrotate on Linux) generates a file that matches an IOC due to temporary file naming conventions.
Filter/Exclusion: Exclude files with a file.name containing “logrotate” or “tmp” and check for presence in known log directories like /var/log/.
Scenario: Admin Task for Database Backup
Description: A database backup tool (e.g., mysqldump) creates a file that matches an IOC due to the use of similar naming patterns for backup files.
Filter/Exclusion: Exclude files with a file.name containing “backup” or “dump” and check for presence in known backup directories like /backup/ or /var/backups/.
Scenario: Legitimate Antivirus Quarantine Process
Description: An antivirus tool (e.g., Bitdefender, Kaspersky) quarantines a file that matches an IOC due to false positive detection.
Filter/Exclusion: Exclude files with a file.name containing “quarantine” or “tmp” and check for presence in known quarantine directories like /var/lib/ or /opt/antivirus/quarantine/.
Scenario: User-Initiated File Transfer via SCP
Description: A user transfers a file via SCP (Secure Copy) that has a name matching an IOC, but is a legitimate file (e.g., a configuration