Adversaries may use ClearFake IOCs to exfiltrate data or establish command and control, leveraging compromised credentials to move laterally within the network. Proactively hunting for these IOCs in Azure Sentinel enables early detection of advanced persistent threats and mitigates potential data breaches.
IOC Summary
Malware Family: ClearFake Total IOCs: 163 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | green-yard6[.]2zorelin.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | small-garden5[.]2zorelin.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | warm-house4[.]2zorelin.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | smart-decor3[.]2zorelin.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | living-room2[.]2zorelin.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | home-design1[.]2zorelin.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | old-library6.qi1moxel.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | new-author5.qi1moxel.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | best-seller4.qi1moxel.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | page-number3.qi1moxel.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | read-more2.qi1moxel.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | open-book1.qi1moxel.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | cool-drink6.bovla8ren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | fresh-juice5.bovla8ren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | sweet-cake4.bovla8ren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | tasty-dish3.bovla8ren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | good-meal2.bovla8ren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | fast-food1.bovla8ren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | live-stream6.de5xpiren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | hot-topic5.de5xpiren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | weather-post4.de5xpiren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | sport-match3.de5xpiren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | world-press2.de5xpiren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | daily-news1.de5xpiren.in.net | payload_delivery | 2026-04-19 | 100% |
| domain | white-snow6.wi9msorin.in.net | payload_delivery | 2026-04-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["green-yard6.2zorelin.in.net", "small-garden5.2zorelin.in.net", "warm-house4.2zorelin.in.net", "smart-decor3.2zorelin.in.net", "living-room2.2zorelin.in.net", "home-design1.2zorelin.in.net", "old-library6.qi1moxel.in.net", "new-author5.qi1moxel.in.net", "best-seller4.qi1moxel.in.net", "page-number3.qi1moxel.in.net", "read-more2.qi1moxel.in.net", "open-book1.qi1moxel.in.net", "cool-drink6.bovla8ren.in.net", "fresh-juice5.bovla8ren.in.net", "sweet-cake4.bovla8ren.in.net", "tasty-dish3.bovla8ren.in.net", "good-meal2.bovla8ren.in.net", "fast-food1.bovla8ren.in.net", "live-stream6.de5xpiren.in.net", "hot-topic5.de5xpiren.in.net", "weather-post4.de5xpiren.in.net", "sport-match3.de5xpiren.in.net", "world-press2.de5xpiren.in.net", "daily-news1.de5xpiren.in.net", "white-snow6.wi9msorin.in.net", "silver-coin5.wi9msorin.in.net", "gold-star4.wi9msorin.in.net", "red-apple3.wi9msorin.in.net", "green-grass2.wi9msorin.in.net", "blue-ocean1.wi9msorin.in.net", "city-park6.po2vtalen.in.net", "gas-station5.po2vtalen.in.net", "auto-parts4.po2vtalen.in.net", "road-trip3.po2vtalen.in.net", "fast-drive2.po2vtalen.in.net", "car-rental1.po2vtalen.in.net", "media-player6.kymli4rex.in.net", "sound-track5.kymli4rex.in.net", "video-clip4.kymli4rex.in.net", "picture-book3.kymli4rex.in.net", "image-zoom2.kymli4rex.in.net", "photo-frame1.kymli4rex.in.net", "smart-door6.to8varin.in.net", "water-pipe5.to8varin.in.net", "garden-view4.to8varin.in.net", "repair-work3.to8varin.in.net", "clean-house2.to8varin.in.net", "home-service1.to8varin.in.net", "desk-folder6.sylom7er.in.net", "glue-stick5.sylom7er.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that coincidentally matches one of the ClearFake IOCs.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a script that uses a tool like logrotate or rsyslog which may have a file path or command line that matches a ClearFake IOC.
Filter/Exclusion: process.name != "logrotate" or process.args !~ "rotate"
Scenario: Admin Task for Software Deployment
Description: An administrator uses PowerShell or msiexec to deploy a legitimate application that has a file name or registry key matching a ClearFake IOC.
Filter/Exclusion: process.name != "powershell.exe" or process.name != "msiexec.exe"
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool like Wireshark or tcpdump generates traffic that matches a ClearFake IOC due to its operation.
Filter/Exclusion: process.name != "wireshark.exe" or process.name != "tcpdump"
Scenario: Antivirus Quarantine Process
Description: An antivirus tool like Windows Defender or Malwarebytes quarantines a file that matches a ClearFake IOC during a scan.
Filter/Exclusion: process.name != "MsMpEng.exe" or process.name != "mbam.exe"