The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads and compromising systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate threats early, as ClearFake is linked to high-impact attacks and persistent threats.
IOC Summary
Malware Family: ClearFake Total IOCs: 112 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | majorbright.rentcad.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | pds6zjwn.rentcad.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | peak-lab.rentcad.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | voicebund.rentcad.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | hyp3-plate.rentcad.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | arkdraa6.rentcad.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | gran-sync.sadfont.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | gdvdjt.sadfont.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | scale-swif.sadfont.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | north9-line.sadfont.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | 277lk6.sadfont.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | notifieropti.sadfont.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | 4sset3-node.qazsadf.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | qu1ck-flow.qazsadf.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | zkmoskj.qazsadf.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | 753s.qazsadf.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | v3lve4-core.qazsadf.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | gr0vvt1-port.qazsadf.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | tal-valeor.wertbash.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | bui73.wertbash.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | so1id-sheet.wertbash.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | storsens.wertbash.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | ljzoiu.wertbash.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | zencrest9um.wertbash.in.net | payload_delivery | 2026-04-23 | 100% |
| domain | ejm0c.sasdherk.in.net | payload_delivery | 2026-04-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["majorbright.rentcad.in.net", "pds6zjwn.rentcad.in.net", "peak-lab.rentcad.in.net", "voicebund.rentcad.in.net", "hyp3-plate.rentcad.in.net", "arkdraa6.rentcad.in.net", "gran-sync.sadfont.in.net", "gdvdjt.sadfont.in.net", "scale-swif.sadfont.in.net", "north9-line.sadfont.in.net", "277lk6.sadfont.in.net", "notifieropti.sadfont.in.net", "4sset3-node.qazsadf.in.net", "qu1ck-flow.qazsadf.in.net", "zkmoskj.qazsadf.in.net", "753s.qazsadf.in.net", "v3lve4-core.qazsadf.in.net", "gr0vvt1-port.qazsadf.in.net", "tal-valeor.wertbash.in.net", "bui73.wertbash.in.net", "so1id-sheet.wertbash.in.net", "storsens.wertbash.in.net", "ljzoiu.wertbash.in.net", "zencrest9um.wertbash.in.net", "ejm0c.sasdherk.in.net", "ambe1-point.sasdherk.in.net", "port-dat.sasdherk.in.net", "pulspost.sasdherk.in.net", "encod-logic.sasdherk.in.net", "crawleramp.sasdherk.in.net", "haus-5.svolota-player.in.net", "vert-3m.svolota-player.in.net", "fast-9.svolota-player.in.net", "mond-1v.svolota-player.in.net", "bleu-2.svolota-player.in.net", "gold-4z.svolota-player.in.net", "berg-8.histor5corching.in.net", "petit-3k.histor5corching.in.net", "blue-7.histor5corching.in.net", "wald-2x.histor5corching.in.net", "noir-5.histor5corching.in.net", "wind-9q.histor5corching.in.net", "kalt-6.blackbirdr0ot.in.net", "vert-4b.blackbirdr0ot.in.net", "open-1.blackbirdr0ot.in.net", "holz-8m.blackbirdr0ot.in.net", "rouge-3.blackbirdr0ot.in.net", "moon-5z.blackbirdr0ot.in.net", "land-9.multi-machine.in.net", "bleu-1p.multi-machine.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Filter/Exclusion: process.name != "ClearFake.exe" or process.parent.name != "WindowsUpdate.exe"
Scenario: Scheduled job running ClearFake for internal testing
Filter/Exclusion: process.name != "ClearFakeTestTool.exe" or process.command_line contains "internal-test"
Scenario: Admin using ClearFake for network packet analysis
Filter/Exclusion: process.name != "ClearFakePacketAnalyzer.exe" or process.user == "admin"
Scenario: ClearFake used as part of a legitimate security toolchain for threat hunting
Filter/Exclusion: process.name != "ClearFakeThreatHunting.exe" or process.directory contains "security-tools"
Scenario: ClearFake used in a DevOps pipeline for static code analysis
Filter/Exclusion: process.name != "ClearFakeCodeScanner.exe" or process.command_line contains "devops-pipeline"