The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises linked to advanced persistent threats.
IOC Summary
Malware Family: ClearFake Total IOCs: 50 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | yvrvsspv.tarikhravannovin.shop | payload_delivery | 2026-06-14 | 100% |
| domain | fkqhi.drivingbook.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | xglycuye.tarikhcheravanshenasi.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | qlsgo9c9.shimiskoog.shop | payload_delivery | 2026-06-14 | 100% |
| domain | crghbprm.shartbandi.games | payload_delivery | 2026-06-14 | 100% |
| domain | fnuqorvu.sazebetonarme.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | irljgzvr.sanjeshvaandazegiri.shop | payload_delivery | 2026-06-14 | 100% |
| domain | zjkgepkj.sanjeshravani.shop | payload_delivery | 2026-06-14 | 100% |
| domain | ztx7i07q.ravanshenasisaeedi.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | zujqygdq.sakhtemandade.shop | payload_delivery | 2026-06-14 | 100% |
| domain | f27u92nr.ravanshenasi.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | ggqgx.differentialmamuli.store | payload_delivery | 2026-06-14 | 100% |
| domain | zkukywuh.sadreislam.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | hogugzxj.questionsmotor.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | hduwrmy.megaparikade.com | payload_delivery | 2026-06-14 | 100% |
| domain | fjagjlhm.psgnewsiran.com | payload_delivery | 2026-06-14 | 100% |
| domain | ycnrdnqk.prozhedownload.com | payload_delivery | 2026-06-14 | 100% |
| domain | gbqlwrat.prozhecart.com | payload_delivery | 2026-06-14 | 100% |
| domain | pwzkdexx.mechanicsayalat.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | c3ord92p.ravanshenasiganji.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | ozaauajb.mechanickhodakarami.shop | payload_delivery | 2026-06-14 | 100% |
| domain | errmx.defamogadas.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | ipzukbru.masirpayambari.xyz | payload_delivery | 2026-06-14 | 100% |
| domain | xreyotb.livebetkade.com | payload_delivery | 2026-06-14 | 100% |
| domain | xwtwlrkc.masaelmohandesi.xyz | payload_delivery | 2026-06-14 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["yvrvsspv.tarikhravannovin.shop", "fkqhi.drivingbook.xyz", "xglycuye.tarikhcheravanshenasi.xyz", "qlsgo9c9.shimiskoog.shop", "crghbprm.shartbandi.games", "fnuqorvu.sazebetonarme.xyz", "irljgzvr.sanjeshvaandazegiri.shop", "zjkgepkj.sanjeshravani.shop", "ztx7i07q.ravanshenasisaeedi.xyz", "zujqygdq.sakhtemandade.shop", "f27u92nr.ravanshenasi.xyz", "ggqgx.differentialmamuli.store", "zkukywuh.sadreislam.xyz", "hogugzxj.questionsmotor.xyz", "hduwrmy.megaparikade.com", "fjagjlhm.psgnewsiran.com", "ycnrdnqk.prozhedownload.com", "gbqlwrat.prozhecart.com", "pwzkdexx.mechanicsayalat.xyz", "c3ord92p.ravanshenasiganji.xyz", "ozaauajb.mechanickhodakarami.shop", "errmx.defamogadas.xyz", "ipzukbru.masirpayambari.xyz", "xreyotb.livebetkade.com", "xwtwlrkc.masaelmohandesi.xyz", "qjivlnde.maharatmodiran.xyz", "hhbpyr7b.ravanshenakhti.shop", "nztdbnij.mabanishimi.xyz", "qcfxtzci.leaguejazire.com", "ptybfgjf.karbordriyaziyat.xyz", "cdppx.danestanihavarzeshi.com", "efwjubk.rocketbet.pro", "qvipoojy.karafarini.shop", "7sxu8ft8.shartbandikade.online", "8r61gwvq.ravansalamat.shop", "yba7z7vt.ravansalamat.shop", "zkclsegh.jam-jahani.com", "pirqlheh.hugugtejarat4.xyz", "ahkyokta.hugugtatbigi.xyz", "xeviozwk.hugugnasiri.xyz", "yym1l9om.qurandownload.xyz", "uhnuyfcr.hugugmadanikatouzian.xyz", "igrbuyo.pokerkade.online", "kl23rl6f.nahjolbalage.xyz", "hfolz.bookdrive.xyz", "kzkzbbha.hugugmadani6.xyz", "wdbcypih.hugugedari.xyz", "osggwts6.fubet24.net", "lmjkrmqt.fubet24.net", "vhsqohyd.hugugdaryayi.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-signed binaries
Filter/Exclusion: process.name != "cleartemp.exe" or process.name != "clearfake_updater.exe"
Scenario: Scheduled maintenance task using ClearFake for log cleanup
Filter/Exclusion: process.name != "clearlog_cleaner.exe" or process.parent.name != "task scheduler"
Scenario: Admin using ClearFake to sanitize temporary files during incident response
Filter/Exclusion: process.user != "admin" or process.command_line contains "sanitize"
Scenario: Legitimate endpoint protection tool using ClearFake for threat intelligence lookup
Filter/Exclusion: process.name != "threat_intel_lookup.exe" or process.parent.name != "endpoint_protection_service"
Scenario: Automated backup job that temporarily uses ClearFake for file compression
Filter/Exclusion: process.name != "backup_compressor.exe" or process.command_line contains "backup"