The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with credential theft and lateral movement. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage attacks before they escalate to data exfiltration or network compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 124 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dark-wood4.wi5sarpo1v.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | high-hill3.wi5sarpo1v.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | blue-sky2.wi5sarpo1v.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | deep-sea1.wi5sarpo1v.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | soft-bag6.ra2telsylo.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | hard-box5.ra2telsylo.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | red-mark4.ra2telsylo.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | thin-pen3.ra2telsylo.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | last-page2.ra2telsylo.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | open-book1.ra2telsylo.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | old-town6.kymlo7zore.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | new-trip5.kymlo7zore.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | long-road4.kymlo7zore.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | big-jump3.kymlo7zore.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | slow-walk2.kymlo7zore.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | fast-run1.kymlo7zore.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | high-step6.corex4varm.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | cold-wind5.corex4varm.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | white-wall4.corex4varm.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | small-cup3.corex4varm.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | green-lamp2.corex4varm.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | blue-table1.corex4varm.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | pure-color6.pulp-turquoise.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | soft-touch5.pulp-turquoise.in.net | payload_delivery | 2026-04-20 | 100% |
| domain | cool-tone4.pulp-turquoise.in.net | payload_delivery | 2026-04-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["dark-wood4.wi5sarpo1v.in.net", "high-hill3.wi5sarpo1v.in.net", "blue-sky2.wi5sarpo1v.in.net", "deep-sea1.wi5sarpo1v.in.net", "soft-bag6.ra2telsylo.in.net", "hard-box5.ra2telsylo.in.net", "red-mark4.ra2telsylo.in.net", "thin-pen3.ra2telsylo.in.net", "last-page2.ra2telsylo.in.net", "open-book1.ra2telsylo.in.net", "old-town6.kymlo7zore.in.net", "new-trip5.kymlo7zore.in.net", "long-road4.kymlo7zore.in.net", "big-jump3.kymlo7zore.in.net", "slow-walk2.kymlo7zore.in.net", "fast-run1.kymlo7zore.in.net", "high-step6.corex4varm.in.net", "cold-wind5.corex4varm.in.net", "white-wall4.corex4varm.in.net", "small-cup3.corex4varm.in.net", "green-lamp2.corex4varm.in.net", "blue-table1.corex4varm.in.net", "pure-color6.pulp-turquoise.in.net", "soft-touch5.pulp-turquoise.in.net", "cool-tone4.pulp-turquoise.in.net", "best-view3.pulp-turquoise.in.net", "new-mix2.pulp-turquoise.in.net", "color-set1.pulp-turquoise.in.net", "solid-base64.hai1owhiten.in.net", "high-roof5.hai1owhiten.in.net", "open-door4.hai1owhiten.in.net", "bright-hall3.hai1owhiten.in.net", "clean-room2.hai1owhiten.in.net", "white-wall1.hai1owhiten.in.net", "good-end6.resolut-revening.in.net", "fast-check5.resolut-revening.in.net", "top-result4.resolut-revening.in.net", "main-goal3.resolut-revening.in.net", "clear-work2.resolut-revening.in.net", "prime-task1.resolut-revening.in.net", "best-style6.rus5icabreast.in.net", "thin-layer5.rus5icabreast.in.net", "red-fabric4.rus5icabreast.in.net", "blue-silk3.rus5icabreast.in.net", "soft-wool2.rus5icabreast.in.net", "warm-coat1.rus5icabreast.in.net", "deep-void6.blasph-nimalo.in.net", "fast-rocket5.blasph-nimalo.in.net", "high-speed4.blasph-nimalo.in.net", "moon-orbit3.blasph-nimalo.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Description: A system administrator is performing a routine update that includes ClearFake-related tools as part of a software inventory or patch management process.
Filter/Exclusion: process.name != "ClearFake" OR process.name != "cleartool" OR process.name != "clearfake"
Scenario: Scheduled job for log analysis using ClearFake
Description: A scheduled job runs a log analysis tool that uses ClearFake as part of its data processing pipeline for internal monitoring.
Filter/Exclusion: process.name != "ClearFake" OR process.name != "cleartool" OR process.name != "clearfake" OR event_id != "ScheduledJob"
Scenario: Admin task to clean up old files using ClearFake
Description: An administrator is using ClearFake to clean up old or unused files from the system as part of a maintenance task.
Filter/Exclusion: process.name != "ClearFake" OR process.name != "cleartool" OR process.name != "clearfake" OR user.name != "admin"
Scenario: Integration testing with ClearFake in a development environment
Description: A developer is testing an integration that uses ClearFake as part of a development or staging environment to simulate real-world scenarios.
Filter/Exclusion: process.name != "ClearFake" OR process.name != "cleartool" OR process.name != "clearfake" OR environment != "dev"
Scenario: Use of ClearFake in a secure container for internal tooling
Description: ClearFake is running inside a secure container as part of an internal tooling solution, such as a CI/CD pipeline or internal monitoring tool.
Filter/Exclusion: `container.id != “secure-container” OR process.name != “ClearFake” OR process.name != “cle