The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with credential theft and lateral movement. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats.
IOC Summary
Malware Family: ClearFake Total IOCs: 16 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | cebsrg.jamjahani.football | payload_delivery | 2026-06-08 | 100% |
| domain | hjwaxur.kvbel.com | payload_delivery | 2026-06-08 | 100% |
| domain | gwu729hw.parspoker.casino | payload_delivery | 2026-06-08 | 100% |
| domain | inmjycz.olabahiskayit.com | payload_delivery | 2026-06-08 | 100% |
| domain | rykwhjt.winsportiran.com | payload_delivery | 2026-06-08 | 100% |
| domain | tviyhdt.winstone.casino | payload_delivery | 2026-06-08 | 100% |
| domain | win.tennis | payload_delivery | 2026-06-08 | 100% |
| domain | mpozwop.winxbet.co | payload_delivery | 2026-06-08 | 100% |
| domain | xzelng.jamjahani.cash | payload_delivery | 2026-06-08 | 100% |
| domain | yynpur.perfectgame.casino | payload_delivery | 2026-06-08 | 100% |
| domain | ebwgtb.vezaratshart.com | payload_delivery | 2026-06-08 | 100% |
| domain | 5dwz6wj9.yekbetiran.com | payload_delivery | 2026-06-08 | 100% |
| domain | anpysts.yasbetapp.com | payload_delivery | 2026-06-08 | 100% |
| domain | cqvdiki.xenicalby6.com | payload_delivery | 2026-06-08 | 100% |
| domain | pmhaqci.x50wheel.bet | payload_delivery | 2026-06-08 | 100% |
| domain | qll4p9fw.one1xiran.bet | payload_delivery | 2026-06-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["cebsrg.jamjahani.football", "hjwaxur.kvbel.com", "gwu729hw.parspoker.casino", "inmjycz.olabahiskayit.com", "rykwhjt.winsportiran.com", "tviyhdt.winstone.casino", "win.tennis", "mpozwop.winxbet.co", "xzelng.jamjahani.cash", "yynpur.perfectgame.casino", "ebwgtb.vezaratshart.com", "5dwz6wj9.yekbetiran.com", "anpysts.yasbetapp.com", "cqvdiki.xenicalby6.com", "pmhaqci.x50wheel.bet", "qll4p9fw.one1xiran.bet"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using ClearFake-related tools
Description: A scheduled job runs a legitimate tool like PowerShell or Task Scheduler that may have a name or command similar to ClearFake IOCs.
Filter/Exclusion: Exclude processes with CommandLine containing powershell.exe or task scheduler in the command line, or filter by ProcessName matching known legitimate tools.
Scenario: Admin task involving file system enumeration
Description: An administrator is performing a routine file system check using tools like Get-ChildItem in PowerShell or dir in CMD, which may trigger IOC matches due to file paths.
Filter/Exclusion: Exclude processes with User field matching admin accounts (e.g., Administrator) or filter by ProcessName like cmd.exe or powershell.exe with specific command-line arguments.
Scenario: Legitimate use of ClearFake-related domains in internal DNS
Description: The enterprise uses a domain similar to ClearFake domains for internal services (e.g., clearfake-int.example.com) which may be flagged as IOC.
Filter/Exclusion: Exclude DNS queries where the DNSDomain field matches internal domains or filter by SourceIP matching internal IP ranges.
Scenario: Security tool or EDR agent generating false positives
Description: A security tool like CrowdStrike Falcon or Microsoft Defender may generate alerts for ClearFake IOCs during normal operation.
Filter/Exclusion: Exclude processes with ProcessName matching known EDR agents (e.g., falcon.exe, microsoftdefender.exe) or filter by ParentProcessName indicating a security tool.
Scenario: Legitimate use of ClearFake-like strings in log analysis
Description: A log analysis tool or script (e.g.,