The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: ClearFake Total IOCs: 63 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | plan-couri.to7vamil.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | l0c4l-phase.to7vamil.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | crims0n-path.to7vamil.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | c4rry-index.to7vamil.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | atom0-bridge.to7vamil.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | mer-draet.sylo3rex.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | 1e4r-span.sylo3rex.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | 6a00327.sylo3rex.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | sx9v1.sylo3rex.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | watch-signal.sylo3rex.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | rwwolv22.sylo3rex.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | stab7-sheet.ra5xovel.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | veldraex9.ra5xovel.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | 3wteeo.ra5xovel.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | bluhz.ra5xovel.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | broker-plate.ra5xovel.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | geo-via1.ra5xovel.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | 2gxb0vyl[.]8zorelin.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | talcoreos[.]8zorelin.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | sri4[.]8zorelin.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | layoutcrawle[.]8zorelin.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | 52hb[.]8zorelin.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | asdf.qimor6xel.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | lowa.qimor6xel.in.net | payload_delivery | 2026-04-18 | 100% |
| domain | low-cost6.qimor6xel.in.net | payload_delivery | 2026-04-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["plan-couri.to7vamil.in.net", "l0c4l-phase.to7vamil.in.net", "crims0n-path.to7vamil.in.net", "c4rry-index.to7vamil.in.net", "atom0-bridge.to7vamil.in.net", "mer-draet.sylo3rex.in.net", "1e4r-span.sylo3rex.in.net", "6a00327.sylo3rex.in.net", "sx9v1.sylo3rex.in.net", "watch-signal.sylo3rex.in.net", "rwwolv22.sylo3rex.in.net", "stab7-sheet.ra5xovel.in.net", "veldraex9.ra5xovel.in.net", "3wteeo.ra5xovel.in.net", "bluhz.ra5xovel.in.net", "broker-plate.ra5xovel.in.net", "geo-via1.ra5xovel.in.net", "2gxb0vyl.8zorelin.in.net", "talcoreos.8zorelin.in.net", "sri4.8zorelin.in.net", "layoutcrawle.8zorelin.in.net", "52hb.8zorelin.in.net", "asdf.qimor6xel.in.net", "lowa.qimor6xel.in.net", "low-cost6.qimor6xel.in.net", "best-deal5.qimor6xel.in.net", "new-stock4.qimor6xel.in.net", "gift-item3.qimor6xel.in.net", "sale-price2.qimor6xel.in.net", "shop-list1.qimor6xel.in.net", "tasty-ham6.bov7larex.in.net", "cool-mint5.bov7larex.in.net", "hot-grill4.bov7larex.in.net", "sweet-pie3.bov7larex.in.net", "best-food2.bov7larex.in.net", "home-chef1.bov7larex.in.net", "page-link6.de8xporel.in.net", "user-info5.de8xporel.in.net", "site-map4.de8xporel.in.net", "post-card3.de8xporel.in.net", "news-feed2.de8xporel.in.net", "web-blog1.de8xporel.in.net", "new-level6.wi5msorel.in.net", "team-win5.wi5msorel.in.net", "fast-move4.wi5msorel.in.net", "best-score3.wi5msorel.in.net", "top-play2.wi5msorel.in.net", "game-mode1.wi5msorel.in.net", "blue-lake6.po9vtaren.in.net", "cold-ice5.po9vtaren.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running ClearFake-related scripts
Description: A system administrator schedules a job to run a script that uses ClearFake for testing or documentation purposes.
Filter/Exclusion: Exclude processes initiated by a known scheduled job task (e.g., Task Scheduler with task name ClearFake_Test_Script).
Scenario: Security team using ClearFake for malware analysis
Description: The SOC team uses ClearFake as part of their malware analysis lab to test detection capabilities.
Filter/Exclusion: Exclude processes running from a known analysis environment directory (e.g., C:\Analysis\ClearFake_Lab).
Scenario: Admin task to clean up old logs using ClearFake
Description: An admin task is configured to use ClearFake to parse and clean up old log files.
Filter/Exclusion: Exclude processes initiated by a known administrative task (e.g., LogCleanupTask.exe with a specific command-line argument).
Scenario: Development team using ClearFake for code signing
Description: A development team uses ClearFake as part of their code signing process to validate digital certificates.
Filter/Exclusion: Exclude processes running from a development environment path (e.g., D:\DevTools\ClearFake_Signer).
Scenario: System update using ClearFake for dependency resolution
Description: A system update process uses ClearFake to resolve dependencies during package installation.
Filter/Exclusion: Exclude processes initiated by a known update manager (e.g., UpdateManager.exe with a specific update ID).