Adversaries using ClearFake may leverage the 82 associated IOCs to exfiltrate data or establish command and control, indicating potential compromise. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage attacks before significant damage occurs.
IOC Summary
Malware Family: ClearFake Total IOCs: 82 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | fun88kyc.com | payload_delivery | 2026-06-02 | 100% |
| domain | pyfptfv.anadoluslot.bet | payload_delivery | 2026-06-02 | 100% |
| domain | juwhlbr.anadoluslot.bet | payload_delivery | 2026-06-02 | 100% |
| domain | citnflk.arayemek.com | payload_delivery | 2026-06-02 | 100% |
| domain | iveyrtw.arayemek.com | payload_delivery | 2026-06-02 | 100% |
| domain | ff4ekbmd[.]7lf.net | payload_delivery | 2026-06-02 | 100% |
| domain | yn9307x6[.]7lf.net | payload_delivery | 2026-06-02 | 100% |
| domain | zyiwsis.betfire90.bet | payload_delivery | 2026-06-02 | 100% |
| domain | ysqlyfg.betfire90.bet | payload_delivery | 2026-06-02 | 100% |
| domain | betfire90.bet | payload_delivery | 2026-06-02 | 100% |
| domain | ysivuys.betexper.bet | payload_delivery | 2026-06-02 | 100% |
| domain | gllmkzi.betexper.bet | payload_delivery | 2026-06-02 | 100% |
| domain | dhddzix.betbet.city | payload_delivery | 2026-06-02 | 100% |
| domain | betbet.city | payload_delivery | 2026-06-02 | 100% |
| domain | 7d6da0ri.axee.net | payload_delivery | 2026-06-02 | 100% |
| domain | rs01xol9.axee.net | payload_delivery | 2026-06-02 | 100% |
| domain | negfuie.bet888starzz.com | payload_delivery | 2026-06-02 | 100% |
| domain | hqmathp.bet888starzz.com | payload_delivery | 2026-06-02 | 100% |
| domain | esqbzfn.bet365iran.com | payload_delivery | 2026-06-02 | 100% |
| domain | xnkqvxs.bet365iran.com | payload_delivery | 2026-06-02 | 100% |
| domain | pjfaqdf.bet313.app | payload_delivery | 2026-06-02 | 100% |
| domain | bet313.app | payload_delivery | 2026-06-02 | 100% |
| domain | sax166rh.funkboi.com | payload_delivery | 2026-06-02 | 100% |
| domain | adklk15j.funkboi.com | payload_delivery | 2026-06-02 | 100% |
| domain | kfvzenz.bahiscom2023.online | payload_delivery | 2026-06-02 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["fun88kyc.com", "pyfptfv.anadoluslot.bet", "juwhlbr.anadoluslot.bet", "citnflk.arayemek.com", "iveyrtw.arayemek.com", "ff4ekbmd.7lf.net", "yn9307x6.7lf.net", "zyiwsis.betfire90.bet", "ysqlyfg.betfire90.bet", "betfire90.bet", "ysivuys.betexper.bet", "gllmkzi.betexper.bet", "dhddzix.betbet.city", "betbet.city", "7d6da0ri.axee.net", "rs01xol9.axee.net", "negfuie.bet888starzz.com", "hqmathp.bet888starzz.com", "esqbzfn.bet365iran.com", "xnkqvxs.bet365iran.com", "pjfaqdf.bet313.app", "bet313.app", "sax166rh.funkboi.com", "adklk15j.funkboi.com", "kfvzenz.bahiscom2023.online", "pxbhgsn.bahiscom2023.online", "bahiscom2023.online", "yhyrxap.bahisbey90.com", "bwwpcpi.bahisbey90.com", "zxzhjlk.artenadigital.com", "dsipoxy.artenadigital.com", "qemwisi.arayemek.com", "tfasyxh.arayemek.com", "cw5zuej3.baxus.net", "snc9w77m.baxus.net", "baxus.net", "usfltzp.anadoluslot.bet", "bobtgdr.anadoluslot.bet", "zrgxhan.alternatifdekorasyon.com", "haytmyo.alternatifdekorasyon.com", "rvubnzq.akharinbama.ir", "96mjt1sb.axee.net", "syhjgg7o.axee.net", "actmimo.aftabsport.ir", "utgxkle.aftabsport.ir", "aftabsport.ir", "djineca.adabiyat.org", "adabiyat.org", "zhlwyqr.3sefr3.ir", "3sefr3.ir"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake as part of a security toolchain
Filter/Exclusion: process.name != "ClearFake" or process.parent.name == "Windows Update"
Scenario: Scheduled job running ClearFake for malware analysis in a sandboxed environment
Filter/Exclusion: process.parent.name == "sandboxed_process" or process.command_line contains "sandbox"
Scenario: Admin task using ClearFake to clean up temporary files or logs
Filter/Exclusion: process.name contains "Cleanup" or process.command_line contains "log_cleanup"
Scenario: Legitimate use of ClearFake by a security team for threat intelligence enrichment
Filter/Exclusion: process.user contains "security_team" or process.command_line contains "threat_intel"
Scenario: False positive from a third-party tool that incorrectly reports ClearFake as malicious
Filter/Exclusion: process.name contains "third_party_tool" or process.parent.name == "third_party_tool"