← Back to SOC feed Coverage →

ThreatFox: ClearFake IOCs

ioc-hunt HIGH ThreatFox
DnsEvents
iocjs-clearfakethreatfox
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-06-04T11:00:00Z · Confidence: high

Hunt Hypothesis

The ThreatFox: ClearFake IOCs rule detects potential adversary activity linked to the ClearFake malware, which is associated with the distribution of malicious payloads and command-and-control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise network security.

IOC Summary

Malware Family: ClearFake Total IOCs: 33 IOC Types: domain

TypeValueThreat TypeFirst SeenConfidence
domainclmkghe.bettime90.casinopayload_delivery2026-06-04100%
domainbettime90.casinopayload_delivery2026-06-04100%
domainkfvgvcb.betrophy90.compayload_delivery2026-06-04100%
domain!z!.betrophy90.compayload_delivery2026-06-04100%
domainswmzey[.]3sefr3.irpayload_delivery2026-06-04100%
domainffeqlui.betrayon.casinopayload_delivery2026-06-04100%
domainbetrayon.casinopayload_delivery2026-06-04100%
domaint7gjz81d.bet360pro.betpayload_delivery2026-06-04100%
domainug5x33qq.bet360pro.betpayload_delivery2026-06-04100%
domaincmzgymj.betobet90.compayload_delivery2026-06-04100%
domain!z!.betobet90.compayload_delivery2026-06-04100%
domainbkbopol.betlikegirisi.compayload_delivery2026-06-04100%
domain!z!.betlikegirisi.compayload_delivery2026-06-04100%
domainbetlikegirisi.compayload_delivery2026-06-04100%
domainzthnnrr.betistmobil.compayload_delivery2026-06-04100%
domain!z!.betistmobil.compayload_delivery2026-06-04100%
domainty7zctpt.bet303casino.compayload_delivery2026-06-04100%
domain3z2a3kyo.bet303casino.compayload_delivery2026-06-04100%
domainwezdgtt.betistcomgiris.compayload_delivery2026-06-04100%
domain!z!.betistcomgiris.compayload_delivery2026-06-04100%
domainbetistcomgiris.compayload_delivery2026-06-04100%
domaincxgbphg.betgopro.compayload_delivery2026-06-04100%
domain!z!.betgopro.compayload_delivery2026-06-04100%
domainbijmduj.betforward.nowpayload_delivery2026-06-04100%
domainbetforward.nowpayload_delivery2026-06-04100%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["clmkghe.bettime90.casino", "bettime90.casino", "kfvgvcb.betrophy90.com", "!z!.betrophy90.com", "swmzey.3sefr3.ir", "ffeqlui.betrayon.casino", "betrayon.casino", "t7gjz81d.bet360pro.bet", "ug5x33qq.bet360pro.bet", "cmzgymj.betobet90.com", "!z!.betobet90.com", "bkbopol.betlikegirisi.com", "!z!.betlikegirisi.com", "betlikegirisi.com", "zthnnrr.betistmobil.com", "!z!.betistmobil.com", "ty7zctpt.bet303casino.com", "3z2a3kyo.bet303casino.com", "wezdgtt.betistcomgiris.com", "!z!.betistcomgiris.com", "betistcomgiris.com", "cxgbphg.betgopro.com", "!z!.betgopro.com", "bijmduj.betforward.now", "betforward.now", "betfoot.bet", "!z!.betfoot.bet", "mcqkkmc.betfootbal90.com", "!z!.betfootbal90.com", "sfmbqki.betfa90.net", "!z!.betfa90.net", "gud6pt4u.bet212.casino", "bet212.casino"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

Sentinel TableNotes
DnsEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/js.clearfake/