← Back to SOC feed Coverage →

ThreatFox: ClearFake IOCs

ioc-hunt HIGH ThreatFox
DnsEvents
iocjs-clearfakethreatfox
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-06-05T11:00:00Z · Confidence: high

Hunt Hypothesis

Adversaries using ClearFake may leverage the 58 IOCs in this rule to exfiltrate data or establish command and control, indicating potential compromise. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage ClearFake-based attacks before significant damage occurs.

IOC Summary

Malware Family: ClearFake Total IOCs: 58 IOC Types: domain

TypeValueThreat TypeFirst SeenConfidence
domainffrpwns.vbetirani.compayload_delivery2026-06-05100%
domain!z!.vbetirani.compayload_delivery2026-06-05100%
domainukmcha.yasbet90.compayload_delivery2026-06-05100%
domainnekdncv.usa2026.betpayload_delivery2026-06-05100%
domain!z!.usa2026.betpayload_delivery2026-06-05100%
domainedfwndp0.chloroquineser.compayload_delivery2026-06-05100%
domainb25s30n3.chloroquineser.compayload_delivery2026-06-05100%
domaindnmjqvy.trmegapari.compayload_delivery2026-06-05100%
domain!z!.trmegapari.compayload_delivery2026-06-05100%
domainbagkqzj.zeppelin.betpayload_delivery2026-06-05100%
domain!z!.zeppelin.betpayload_delivery2026-06-05100%
domainzeppelin.betpayload_delivery2026-06-05100%
domainkgebll.xenicalby6.compayload_delivery2026-06-05100%
domaintjvdbbc.yektbet.betpayload_delivery2026-06-05100%
domain!z!.yektbet.betpayload_delivery2026-06-05100%
domaincpteijd.yekbetiran.compayload_delivery2026-06-05100%
domain!z!.yekbetiran.compayload_delivery2026-06-05100%
domainkazwbt9n[.]2026.futbolpayload_delivery2026-06-05100%
domainlgwzmtt.yek1bet.betpayload_delivery2026-06-05100%
domain!z!.yek1bet.betpayload_delivery2026-06-05100%
domainyek1bet.betpayload_delivery2026-06-05100%
domainafdaqyu.yasbet.casinopayload_delivery2026-06-05100%
domainyasbet.casinopayload_delivery2026-06-05100%
domainxcpvjq6r.cerocarey.compayload_delivery2026-06-05100%
domainwyveypsx.cerocarey.compayload_delivery2026-06-05100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["ffrpwns.vbetirani.com", "!z!.vbetirani.com", "ukmcha.yasbet90.com", "nekdncv.usa2026.bet", "!z!.usa2026.bet", "edfwndp0.chloroquineser.com", "b25s30n3.chloroquineser.com", "dnmjqvy.trmegapari.com", "!z!.trmegapari.com", "bagkqzj.zeppelin.bet", "!z!.zeppelin.bet", "zeppelin.bet", "kgebll.xenicalby6.com", "tjvdbbc.yektbet.bet", "!z!.yektbet.bet", "cpteijd.yekbetiran.com", "!z!.yekbetiran.com", "kazwbt9n.2026.futbol", "lgwzmtt.yek1bet.bet", "!z!.yek1bet.bet", "yek1bet.bet", "afdaqyu.yasbet.casino", "yasbet.casino", "xcpvjq6r.cerocarey.com", "wyveypsx.cerocarey.com", "tqdtntx.hotbet90.casino", "hotbet90.casino", "xeanui.x50wheel.bet", "dlkcsdq.hotbet90app.com", "!z!.hotbet90app.com", "eehjqhe.homa.bet", "!z!.homa.bet", "goolge.mobi", "searggend.com", "pqycltd.hokm.casino", "f0rfdtvf.canlibahis1xbet.click", "canlibahis1xbet.click", "ageqour.hit4bet1.com", "!z!.hit4bet1.com", "vobyslb.hilo.casino", "hilo.casino", "myofcdr.hezarfencrash.bet", "!z!.hezarfencrash.bet", "4q4880m7.bwin90.bet", "zoqo6w5l.bwin90.bet", "3p1x6btm.1xbet90.bet", "youykxp.herz-frank.com", "!z!.herz-frank.com", "emwzmsp.hazaratbetapp.com", "!z!.hazaratbetapp.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

Sentinel TableNotes
DnsEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/js.clearfake/