The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to data exfiltration or system compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 113 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | black-hat1.bovla5xel.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | purewater6.de1xorin.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | cool-mi-lk5.de1xorin.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | fresh-tea4.de1xorin.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | hot-soup3.de1xorin.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | sweet-bun2.de1xorin.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | tasty-pie1.de1xorin.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | easy-task6.kymle9rax.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | just-ta-lk5.kymle9rax.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | nice-shot4.kymle9rax.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | realfact3.kymle9rax.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | best-ti-me2.kymle9rax.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | good-news1.kymle9rax.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | sideview6.po3vaxil.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | backy-ard5.po3vaxil.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | full-room4.po3vaxil.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | nextdoor3.po3vaxil.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | notiflame.matri2rchyor.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | 655f.pepper-reprint.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | 0n6rt.ant5pender.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | xeeeto.ant5pender.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | dawn-route.ant5pender.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | delihyp.ant5pender.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | decode-fac.junkie-talker.in.net | payload_delivery | 2026-04-22 | 100% |
| domain | neo-c4rri.junkie-talker.in.net | payload_delivery | 2026-04-22 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["black-hat1.bovla5xel.in.net", "purewater6.de1xorin.in.net", "cool-mi-lk5.de1xorin.in.net", "fresh-tea4.de1xorin.in.net", "hot-soup3.de1xorin.in.net", "sweet-bun2.de1xorin.in.net", "tasty-pie1.de1xorin.in.net", "easy-task6.kymle9rax.in.net", "just-ta-lk5.kymle9rax.in.net", "nice-shot4.kymle9rax.in.net", "realfact3.kymle9rax.in.net", "best-ti-me2.kymle9rax.in.net", "good-news1.kymle9rax.in.net", "sideview6.po3vaxil.in.net", "backy-ard5.po3vaxil.in.net", "full-room4.po3vaxil.in.net", "nextdoor3.po3vaxil.in.net", "notiflame.matri2rchyor.in.net", "655f.pepper-reprint.in.net", "0n6rt.ant5pender.in.net", "xeeeto.ant5pender.in.net", "dawn-route.ant5pender.in.net", "delihyp.ant5pender.in.net", "decode-fac.junkie-talker.in.net", "neo-c4rri.junkie-talker.in.net", "splitorche.autovete7an.in.net", "lumcrest0is.over-resweat.in.net", "arkmark8um.over-resweat.in.net", "dfsgg.de8xapil.in.net", "white-pa-per4.mi5demeanwork.in.net", "cle-arbox6.mi5demeanwork.in.net", "city-wa-lk2.po3vaxil.in.net", "fresh-app-l1.jemannik5helma.in.net", "old-ca-se6.jemannik5helma.in.net", "sunny-d-ay1.sin8lebreasted.in.net", "quickmo-ve5.buckishing-out.in.net", "main-po-int6.buckishing-out.in.net", "top-floor1.po3vaxil.in.net", "silverrain6.to7virel.in.net", "whitecl-oud5.to7virel.in.net", "gold-fish4.to7virel.in.net", "deep-ocean3.to7virel.in.net", "darknight2.to7virel.in.net", "bright-sky1.to7virel.in.net", "coolstone6.sylom2er.in.net", "warmbr-ead5.sylom2er.in.net", "hot-tea4.sylom2er.in.net", "freshmilk3.sylom2er.in.net", "sweet-pear2.sylom2er.in.net", "tastyapple1.sylom2er.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - ClearFake
let malicious_urls = dynamic(["https://vasijl-cloud.b-cdn.net/Peton.zip"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Description: A system administrator is performing a routine update using tools like ClearFakeUpdater or ClearFakeConfigTool as part of a scheduled maintenance job.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with task scheduler or schtasks.exe and containing ClearFake in the command line.
Scenario: Security tool integration with ClearFox database
Description: A security analyst is importing threat intelligence from the ClearFox database into a SIEM or SOAR platform using a tool like ClearFoxImporter.
Filter/Exclusion: Exclude processes associated with known security tools (e.g., Splunk, SOAR, SIEM) and those running under a dedicated threat intel user account.
Scenario: Admin task to clean up old logs using ClearFake
Description: An admin is using a script or tool named ClearFakeLogCleaner to purge old log files from the server.
Filter/Exclusion: Exclude processes with logcleaner or log_cleanup in the command line, or those executed by the logadmin user or group.
Scenario: False positive from a third-party software update
Description: A third-party application (e.g., ClearFakeSDK) is being updated via a package manager like npm or pip, which includes the term “ClearFake” in its name.
Filter/Exclusion: Exclude processes initiated by package managers (e.g., npm, pip, apt, yum) and those involving known legitimate software names.
Scenario: Internal development tool with ClearFake in its name
Description: A development team uses an internal tool named ClearFakeDevTool for testing or CI/CD pipelines.
Filter/Exclusion: Exclude