Adversaries using ClearFake may leverage the 98 associated IOCs to exfiltrate data or establish command and control, indicating potential compromise. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage malicious activity linked to this known threat actor.
IOC Summary
Malware Family: ClearFake Total IOCs: 98 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | uulte.westinvesteuropa.hu | payload_delivery | 2026-05-27 | 100% |
| domain | yqpbv.westinvesteuropa.hu | payload_delivery | 2026-05-27 | 100% |
| domain | mzwum.wilhelmglobal.com | payload_delivery | 2026-05-27 | 100% |
| domain | emjpi.wilhelmglobal.com | payload_delivery | 2026-05-27 | 100% |
| domain | cwzbp.wlwyb.com | payload_delivery | 2026-05-27 | 100% |
| domain | rqmwn.wlwyb.com | payload_delivery | 2026-05-27 | 100% |
| domain | uolsj.wolfmarketing.hu | payload_delivery | 2026-05-27 | 100% |
| domain | gplca9pf.script-bridge.digital | payload_delivery | 2026-05-27 | 100% |
| domain | mszpkxdh.script-bridge.digital | payload_delivery | 2026-05-27 | 100% |
| domain | dxblg.workoutwithdorci.com | payload_delivery | 2026-05-27 | 100% |
| domain | toaok.workoutwithdorci.com | payload_delivery | 2026-05-27 | 100% |
| domain | kbjqa.wpsmart.app | payload_delivery | 2026-05-27 | 100% |
| domain | xjmes.yanis.hu | payload_delivery | 2026-05-27 | 100% |
| domain | yzrdn.yanis.hu | payload_delivery | 2026-05-27 | 100% |
| domain | qxyvx.yanisrea.hu | payload_delivery | 2026-05-27 | 100% |
| domain | gsave.yanisrea.hu | payload_delivery | 2026-05-27 | 100% |
| domain | 3822lbt1.stack-sphere.digital | payload_delivery | 2026-05-27 | 100% |
| domain | uv2wp3lz.stack-sphere.digital | payload_delivery | 2026-05-27 | 100% |
| domain | cadcr.zaszlorudbolt.hu | payload_delivery | 2026-05-27 | 100% |
| domain | qkveb.zaszlorudbolt.hu | payload_delivery | 2026-05-27 | 100% |
| domain | vkoqp.accredit.hu | payload_delivery | 2026-05-27 | 100% |
| domain | kvdex.accredit.hu | payload_delivery | 2026-05-27 | 100% |
| domain | ekyso.addmagad.com | payload_delivery | 2026-05-27 | 100% |
| domain | btvxz.addmagad.com | payload_delivery | 2026-05-27 | 100% |
| domain | djwof.ady26.hu | payload_delivery | 2026-05-27 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["uulte.westinvesteuropa.hu", "yqpbv.westinvesteuropa.hu", "mzwum.wilhelmglobal.com", "emjpi.wilhelmglobal.com", "cwzbp.wlwyb.com", "rqmwn.wlwyb.com", "uolsj.wolfmarketing.hu", "gplca9pf.script-bridge.digital", "mszpkxdh.script-bridge.digital", "dxblg.workoutwithdorci.com", "toaok.workoutwithdorci.com", "kbjqa.wpsmart.app", "xjmes.yanis.hu", "yzrdn.yanis.hu", "qxyvx.yanisrea.hu", "gsave.yanisrea.hu", "3822lbt1.stack-sphere.digital", "uv2wp3lz.stack-sphere.digital", "cadcr.zaszlorudbolt.hu", "qkveb.zaszlorudbolt.hu", "vkoqp.accredit.hu", "kvdex.accredit.hu", "ekyso.addmagad.com", "btvxz.addmagad.com", "djwof.ady26.hu", "gpiwz.ady26.hu", "odauc.aiteszt.com", "nosja.aiteszt.com", "peqe8mvw.byte-foundry.digital", "71vb3uq6.byte-foundry.digital", "gutdp.aileadfactory.com", "rnfcg.aileadfactory.com", "dgppz.ady26.hu", "elosb.ady26.hu", "ady26.hu", "fanlo.addmagad.com", "dzzpl.addmagad.com", "godww.accredit.hu", "sytlm.accredit.hu", "mvqex.zaszlorudbolt.hu", "zosjd.zaszlorudbolt.hu", "h3mraocc.telemetry-harbor.digital", "elvrh3ok.telemetry-harbor.digital", "telemetry-harbor.digital", "ywcga.yanisrea.hu", "brljc.yanisrea.hu", "yanisrea.hu", "wehmr.yanis.hu", "dombl.yanis.hu", "sapzq.keró.hu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update service includes a file that matches one of the ClearFake IOCs.
Filter/Exclusion: Check the file’s publisher and signature using file or process fields to exclude Microsoft-signed files. Example filter: file.name:setup.exe AND file.pname:Microsoft
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a log rotation script that uses a tool like logrotate or rsyslog, which may have a file name matching a ClearFake IOC.
Filter/Exclusion: Filter by process name and user context. Example filter: process.name:logrotate AND user.name:root
Scenario: Admin Task for Patch Management
Description: An administrator uses a tool like WSUS (Windows Server Update Services) to deploy patches, which may include files that match ClearFake IOCs.
Filter/Exclusion: Filter by process name and source IP. Example filter: process.name:wsus AND src_ip:10.0.0.0/8
Scenario: Legitimate Use of PowerShell for Configuration Management
Description: A PowerShell script used for configuration management (e.g., PSConfig or Pester) includes a file or command that matches a ClearFake IOC.
Filter/Exclusion: Filter by process name and user context. Example filter: process.name:PowerShell AND user.name:admin
Scenario: Use of a Legitimate Security Tool with Similar Naming
Description: A security tool like ClearFake (a hypothetical tool) or ClearLog may have a similar name to the malicious actor, triggering the rule.
Filter/Exclusion: Check the file’s full path and