The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake threat group, which is known for distributing malicious software through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises and prevent lateral movement within the network.
IOC Summary
Malware Family: ClearFake Total IOCs: 108 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | scr14-sync.vouayger.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | tideruntime.checkbro.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | 4wm0.woodflo.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | unitmed.goodwork.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | checkcipher.besthire.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | serv4base.veloxunit.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | edge3dist.veloxunit.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | node2flow.veloxunit.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | unit1meta.veloxunit.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | main4point.nuxbase.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | data3sync.nuxbase.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | gate2proxy.nuxbase.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | web1infra.nuxbase.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | sat4link.termocenter.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | rock3core.termocenter.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | base2steel.termocenter.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | moon1orbit.termocenter.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | open4space.altasync.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | vast3field.altasync.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | zone2area.altasync.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | rim1outer.altasync.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | path4gate.protovoda.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | view3sync.protovoda.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | scan2point.protovoda.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | room1dark.protovoda.in.net | payload_delivery | 2026-03-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["scr14-sync.vouayger.in.net", "tideruntime.checkbro.in.net", "4wm0.woodflo.in.net", "unitmed.goodwork.in.net", "checkcipher.besthire.in.net", "serv4base.veloxunit.in.net", "edge3dist.veloxunit.in.net", "node2flow.veloxunit.in.net", "unit1meta.veloxunit.in.net", "main4point.nuxbase.in.net", "data3sync.nuxbase.in.net", "gate2proxy.nuxbase.in.net", "web1infra.nuxbase.in.net", "sat4link.termocenter.in.net", "rock3core.termocenter.in.net", "base2steel.termocenter.in.net", "moon1orbit.termocenter.in.net", "open4space.altasync.in.net", "vast3field.altasync.in.net", "zone2area.altasync.in.net", "rim1outer.altasync.in.net", "path4gate.protovoda.in.net", "view3sync.protovoda.in.net", "scan2point.protovoda.in.net", "room1dark.protovoda.in.net", "sync4vision.luxalabs.in.net", "ghost3node.luxalabs.in.net", "shell2core.luxalabs.in.net", "trace1alpha.luxalabs.in.net", "link4access.optigrid.in.net", "auth3user.optigrid.in.net", "base2point.optigrid.in.net", "glob1infra.optigrid.in.net", "flow4work.densapoint.in.net", "net3local.densapoint.in.net", "sys2power.densapoint.in.net", "mon1point.densapoint.in.net", "entry4link.metracore.in.net", "dev3host.metracore.in.net", "rpc2remote.metracore.in.net", "cloud1store.metracore.in.net", "hub4sync.vivaflux.in.net", "gate3proxy.vivaflux.in.net", "app2data.vivaflux.in.net", "web1meta.vivaflux.in.net", "db4static.flexonode.in.net", "cdn3edge.flexonode.in.net", "api2sync.flexonode.in.net", "srv1node.flexonode.in.net", "main-v4-point.vortex-lab.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-signed binaries
Filter/Exclusion: process.name != "ClearFake.exe" or process.parent.name != "Windows Update"
Scenario: Scheduled job running ClearFake for internal threat intelligence enrichment
Filter/Exclusion: process.name != "ClearFake.exe" or process.parent.name != "Task Scheduler"
Scenario: Admin using ClearFake to query known malicious IPs for internal network security review
Filter/Exclusion: process.name != "ClearFake.exe" or process.parent.name != "PowerShell"
Scenario: ClearFake is used as part of a security toolchain for IOC normalization
Filter/Exclusion: process.name != "ClearFake.exe" or process.parent.name != "SIEM Tool"
Scenario: ClearFake is used by a red team for internal pentesting with approved permissions
Filter/Exclusion: process.name != "ClearFake.exe" or user.name != "RedTeamUser"