The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake threat group, leveraging known malicious indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be using these IOCs to exfiltrate data or establish command and control.
IOC Summary
Malware Family: ClearFake Total IOCs: 27 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | xqbzvgfy.red90.casino | payload_delivery | 2026-06-10 | 100% |
| domain | yovejfu.amlakshahri.xyz | payload_delivery | 2026-06-10 | 100% |
| domain | krezxpiv.jamjahani2026.football | payload_delivery | 2026-06-10 | 100% |
| domain | tdfzyex.amoozeshagazade.shop | payload_delivery | 2026-06-10 | 100% |
| domain | pfyfyt.bankefiile.com | payload_delivery | 2026-06-10 | 100% |
| domain | nljdiefg.jamjahani.football | payload_delivery | 2026-06-10 | 100% |
| domain | lq8j82kc.shirbetfarsi.com | payload_delivery | 2026-06-10 | 100% |
| domain | y5cngab5.shirbetfarsi.com | payload_delivery | 2026-06-10 | 100% |
| domain | 3yl7mt55.andisheeslami2.xyz | payload_delivery | 2026-06-10 | 100% |
| domain | xtktlprb.rial.bet | payload_delivery | 2026-06-10 | 100% |
| domain | 1yusfrvk.pishbinibet.bet | payload_delivery | 2026-06-10 | 100% |
| domain | ithfkpx.amoozeshtagipour.shop | payload_delivery | 2026-06-10 | 100% |
| domain | uecvehp.amoozeshagazade.shop | payload_delivery | 2026-06-10 | 100% |
| domain | firdgorl.restaurantguideaarhus.com | payload_delivery | 2026-06-10 | 100% |
| domain | s4x5yd7i.anodaz.store | payload_delivery | 2026-06-10 | 100% |
| domain | xmwofxxy.winxbet.co | payload_delivery | 2026-06-10 | 100% |
| domain | oxzqss.azmoonzare.online | payload_delivery | 2026-06-10 | 100% |
| domain | 0xln2imp.yekbetiran.com | payload_delivery | 2026-06-10 | 100% |
| domain | 0lq2f3fa.yekbetiran.com | payload_delivery | 2026-06-10 | 100% |
| domain | rkbvh5p1.parspoker.casino | payload_delivery | 2026-06-10 | 100% |
| domain | pjekei.azmoonzare.online | payload_delivery | 2026-06-10 | 100% |
| domain | vohgvv.jamjahani.football | payload_delivery | 2026-06-10 | 100% |
| domain | cbawrwwb.wrfc8.com | payload_delivery | 2026-06-10 | 100% |
| domain | eaty6go0.anodaz.co | payload_delivery | 2026-06-10 | 100% |
| domain | 3sdhx6qp.pokerbazi.app | payload_delivery | 2026-06-10 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["xqbzvgfy.red90.casino", "yovejfu.amlakshahri.xyz", "krezxpiv.jamjahani2026.football", "tdfzyex.amoozeshagazade.shop", "pfyfyt.bankefiile.com", "nljdiefg.jamjahani.football", "lq8j82kc.shirbetfarsi.com", "y5cngab5.shirbetfarsi.com", "3yl7mt55.andisheeslami2.xyz", "xtktlprb.rial.bet", "1yusfrvk.pishbinibet.bet", "ithfkpx.amoozeshtagipour.shop", "uecvehp.amoozeshagazade.shop", "firdgorl.restaurantguideaarhus.com", "s4x5yd7i.anodaz.store", "xmwofxxy.winxbet.co", "oxzqss.azmoonzare.online", "0xln2imp.yekbetiran.com", "0lq2f3fa.yekbetiran.com", "rkbvh5p1.parspoker.casino", "pjekei.azmoonzare.online", "vohgvv.jamjahani.football", "cbawrwwb.wrfc8.com", "eaty6go0.anodaz.co", "3sdhx6qp.pokerbazi.app", "uknwgsop.red90.casino", "jxsofena.shartbandi.games"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance using ClearFake as part of a cleanup process
Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., schtasks.exe or at.exe) or processes with a command line containing --clean or --maintenance.
Scenario: Use of ClearFake as a legitimate tool for log file sanitization in a DevOps pipeline
Filter/Exclusion: Exclude processes running under CI/CD pipelines (e.g., jenkins.exe, git.exe, or dockerd.exe) or those with command lines containing --sanitize or --log-clean.
Scenario: Administrative task to remove temporary files using ClearFake in a shared enterprise directory
Filter/Exclusion: Exclude processes with a command line containing --delete-temp or --clear-cache, or those running under a known admin account (e.g., Administrator or svc_account).
Scenario: Legitimate use of ClearFake for clearing browser cache in a corporate endpoint management environment
Filter/Exclusion: Exclude processes associated with endpoint management tools (e.g., Microsoft Intune, Microsoft Endpoint Manager, or Configuration Manager) or those with command lines containing --browser-cache or --clear-browser.
Scenario: Use of ClearFake as part of a legitimate data sanitization script in a compliance environment
Filter/Exclusion: Exclude processes running from a known compliance or data sanitization script directory (e.g., C:\Compliance\Scripts) or those with command lines containing --sanitize-data or --compliance-clean.