Adversaries may use ClearFake IOCs to exfiltrate data or establish command and control, leveraging compromised credentials to move laterally within the network. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate potential data breaches and persistent threats early.
IOC Summary
Malware Family: ClearFake Total IOCs: 78 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | clabrmercur.pages.dev | payload_delivery | 2026-06-11 | 100% |
| domain | clabrmercur.pages.dev | payload_delivery | 2026-06-11 | 100% |
| domain | clavgood.pages.dev | payload_delivery | 2026-06-11 | 100% |
| domain | clavgood.pages.dev | payload_delivery | 2026-06-11 | 100% |
| domain | storgvkam.pages.dev | payload_delivery | 2026-06-11 | 100% |
| domain | storgvkam.pages.dev | payload_delivery | 2026-06-11 | 100% |
| domain | storgvkam.pages.dev | payload_delivery | 2026-06-11 | 100% |
| domain | claude-code-product.squarespace.com | payload_delivery | 2026-06-11 | 100% |
| domain | claude-code-product.squarespace.com | payload_delivery | 2026-06-11 | 100% |
| domain | notebooklm-update-version.squarespace.com | payload_delivery | 2026-06-11 | 100% |
| domain | notebooklm-update-version.squarespace.com | payload_delivery | 2026-06-11 | 100% |
| domain | notebooklm-update-version.squarespace.com | payload_delivery | 2026-06-11 | 100% |
| domain | notebooklm-update-version.squarespace.com | payload_delivery | 2026-06-11 | 100% |
| domain | 2chci0sm.andisheeslami2.xyz | payload_delivery | 2026-06-11 | 100% |
| domain | gimomouf.red90.casino | payload_delivery | 2026-06-11 | 100% |
| domain | p5k42qtw.anodaz.co | payload_delivery | 2026-06-11 | 100% |
| domain | gwofphogw.differentialmamuli.store | payload_delivery | 2026-06-11 | 100% |
| domain | qnjutqs.bet303.app | payload_delivery | 2026-06-11 | 100% |
| domain | kwoptitn.restaurantguideaarhus.com | payload_delivery | 2026-06-11 | 100% |
| domain | yvlenqci.rial.bet | payload_delivery | 2026-06-11 | 100% |
| domain | s8a20vxh.gavaedfagahe.xyz | payload_delivery | 2026-06-11 | 100% |
| domain | 4piqgfum.garatequran.xyz | payload_delivery | 2026-06-11 | 100% |
| domain | aetherframework.digital | payload_delivery | 2026-06-11 | 100% |
| domain | ldmmsp6b.angizeshfarahani.store | payload_delivery | 2026-06-11 | 100% |
| domain | xnvdto36.ganuneasasi.xyz | payload_delivery | 2026-06-11 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["clabrmercur.pages.dev", "clabrmercur.pages.dev", "clavgood.pages.dev", "clavgood.pages.dev", "storgvkam.pages.dev", "storgvkam.pages.dev", "storgvkam.pages.dev", "claude-code-product.squarespace.com", "claude-code-product.squarespace.com", "notebooklm-update-version.squarespace.com", "notebooklm-update-version.squarespace.com", "notebooklm-update-version.squarespace.com", "notebooklm-update-version.squarespace.com", "2chci0sm.andisheeslami2.xyz", "gimomouf.red90.casino", "p5k42qtw.anodaz.co", "gwofphogw.differentialmamuli.store", "qnjutqs.bet303.app", "kwoptitn.restaurantguideaarhus.com", "yvlenqci.rial.bet", "s8a20vxh.gavaedfagahe.xyz", "4piqgfum.garatequran.xyz", "aetherframework.digital", "ldmmsp6b.angizeshfarahani.store", "xnvdto36.ganuneasasi.xyz", "cxwqtlc8.asibshenasiyahya.shop", "rn0mptxh.anodaz.tv", "181xlt4g.gavaedfagahe.xyz", "jqfg2zyi.ehtemalatvaamar.xyz", "8t4ow8gc.azmoonhayeravani.shop", "988920lt-ublib.988920a1.buzz", "gng97m36.angizeshfarahani.store", "omeade.2k3phuchau.christmas", "allfood.2k3phuchau.christmas", "njjinvestments.2k3phuchau.christmas", "cqshazxp.neural-atlas.digital", "hzvvlqps.mechanicsayalat.xyz", "1v6le0j1.andisheeslami2.xyz", "slojemw.leaguejazire.com", "kuonnjkj.masirpayambari.xyz", "qlvwxer.karafarini.shop", "ifvtbgbf.maharatmodiran.xyz", "dmwncnnnp.defamogadas.xyz", "rjwfiwgjr.defamogadas.xyz", "1cihg2b5.anodaz.vip", "mocauhxe.mabanishimi.xyz", "iznukhb.hesabdari2.xyz", "zo4t1q36.moarefeslami.xyz", "m2bu2yf9.ansuyemarg.xyz", "kpeahfhd.rial.bet"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Description: A system administrator is performing a scheduled update that includes ClearFake-related tools as part of a patching process.
Filter/Exclusion: Exclude processes initiated by the system update scheduler (e.g., schtasks.exe or task scheduler), or filter by known update tool names (e.g., Windows Update or Patch Manager).
Scenario: Scheduled job for log analysis using ClearFake IOCs
Description: A security team runs a scheduled job to analyze logs using ClearFake IOCs as part of a threat hunting exercise.
Filter/Exclusion: Exclude processes associated with log analysis tools (e.g., Splunk, ELK Stack, or SIEM tools) or filter by job names that include “threat hunting” or “log analysis”.
Scenario: Admin task to clean up temporary files with ClearFake artifacts
Description: An admin is cleaning up temporary files and ClearFake-related artifacts as part of routine maintenance.
Filter/Exclusion: Exclude processes initiated by administrative maintenance scripts (e.g., cleanmgr.exe, disk cleanup, or PowerShell scripts with known maintenance names).
Scenario: Legitimate use of ClearFake in a red team exercise
Description: A red team is using ClearFake IOCs in a controlled environment to simulate an attack.
Filter/Exclusion: Exclude processes that match red team tooling names (e.g., Metasploit, Cobalt Strike, or Empire) or filter by IP addresses or domains known to be part of red team exercises.
Scenario: False positive from a third-party security tool integrating ClearFake IOCs
Description: A third-party security tool includes ClearFake IOCs in its threat intelligence feed, leading to false positives.
**Filter