Adversaries may be using ClearFake IOCs to exfiltrate data or establish command and control channels within the network. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging ClearFake infrastructure.
IOC Summary
Malware Family: ClearFake Total IOCs: 107 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | cityli-fe2.kymle2rix.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | home-base1.kymle2rix.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | gold-fi-sh6.to6vamil.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | warm-sun5.to6vamil.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | darkwood4.to6vamil.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | high-hi-ll3.to6vamil.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | blue-sky2.to6vamil.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | deepsea1.to6vamil.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | soft-ba-g6.sylom5er.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | hardbox5.sylom5er.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | redma-rk4.sylom5er.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | thin-pen3.sylom5er.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | lastpa-ge2.sylom5er.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | openbook1.sylom5er.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | old-town6.ra1xorin.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | newtrip5.ra1xorin.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | longro-ad4.ra1xorin.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | bigjump3.ra1xorin.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | slowwa-lk2.ra1xorin.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | fast-run1.ra1xorin.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | highstep6[.]9zoravel.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | coldwind5[.]9zoravel.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | white-wa-ll4[.]9zoravel.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | small-cup3[.]9zoravel.in.net | payload_delivery | 2026-04-21 | 100% |
| domain | greenlamp2[.]9zoravel.in.net | payload_delivery | 2026-04-21 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["cityli-fe2.kymle2rix.in.net", "home-base1.kymle2rix.in.net", "gold-fi-sh6.to6vamil.in.net", "warm-sun5.to6vamil.in.net", "darkwood4.to6vamil.in.net", "high-hi-ll3.to6vamil.in.net", "blue-sky2.to6vamil.in.net", "deepsea1.to6vamil.in.net", "soft-ba-g6.sylom5er.in.net", "hardbox5.sylom5er.in.net", "redma-rk4.sylom5er.in.net", "thin-pen3.sylom5er.in.net", "lastpa-ge2.sylom5er.in.net", "openbook1.sylom5er.in.net", "old-town6.ra1xorin.in.net", "newtrip5.ra1xorin.in.net", "longro-ad4.ra1xorin.in.net", "bigjump3.ra1xorin.in.net", "slowwa-lk2.ra1xorin.in.net", "fast-run1.ra1xorin.in.net", "highstep6.9zoravel.in.net", "coldwind5.9zoravel.in.net", "white-wa-ll4.9zoravel.in.net", "small-cup3.9zoravel.in.net", "greenlamp2.9zoravel.in.net", "blu-etable1.9zoravel.in.net", "main-po-int6.tarny-tsedilka.in.net", "quickmo-ve5.tarny-tsedilka.in.net", "empty-s-pac4.tarny-tsedilka.in.net", "full-b-ox3.tarny-tsedilka.in.net", "lightp-ack2.tarny-tsedilka.in.net", "justtalk5.qi8maren.in.net", "heavy-lo-ad1.tarny-tsedilka.in.net", "light-mo-on6.championincomp.in.net", "warmf-ire5.championincomp.in.net", "cold-sn-ow4.championincomp.in.net", "clear-sky3.championincomp.in.net", "rainy-ni-ght2.championincomp.in.net", "sunny-d-ay1.championincomp.in.net", "best-lo-ok6.water-wagged.in.net", "newst-yle5.water-wagged.in.net", "warm-co-at4.water-wagged.in.net", "long-be-lt3.water-wagged.in.net", "white-shir-t2.water-wagged.in.net", "black-h-at1.water-wagged.in.net", "purewa-ter6.deer5talagmite.in.net", "coolmi-lk5.deer5talagmite.in.net", "fresh-tea4.deer5talagmite.in.net", "hot-s-oup3.deer5talagmite.in.net", "sweet-bun2.deer5talagmite.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using ClearFake-related tools
Description: A scheduled job runs a legitimate tool like ClearFake (e.g., a legitimate data sanitization tool) as part of a routine data cleanup process.
Filter/Exclusion: process.name != "ClearFake" OR process.parent.name != "schtasks.exe" OR process.command_line contains "clean" or "sanitize"
Scenario: Admin task using ClearFake for system diagnostics
Description: An administrator uses a tool like ClearFake (e.g., a legitimate system diagnostic tool) to troubleshoot a system issue.
Filter/Exclusion: process.name != "ClearFake" OR process.user != "Administrator" OR process.command_line contains "diag" or "troubleshoot"
Scenario: False positive from a third-party software update
Description: A third-party application (e.g., Adobe Acrobat) includes a file or process named ClearFake as part of its update mechanism.
Filter/Exclusion: process.name != "ClearFake" OR process.parent.name != "AdobeUpdate.exe" OR file.name != "ClearFake.exe"
Scenario: Legitimate network scanning tool using ClearFake
Description: A network scanning tool like Nmap or Wireshark includes a module or plugin named ClearFake for packet analysis.
Filter/Exclusion: process.name != "ClearFake" OR process.parent.name != "nmap.exe" or "wireshark.exe" OR file.name != "ClearFake.dll"
Scenario: False positive from a legitimate security tool’s signature database
Description: A security tool like Microsoft Defender or CrowdStrike includes a signature named ClearFake as part of its threat intelligence database