Adversaries using ClearFake may leverage the 87 associated IOCs to exfiltrate data or establish command and control, indicating potential malicious network activity. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage threats from advanced persistent threats.
IOC Summary
Malware Family: ClearFake Total IOCs: 87 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | kferlw.itsmarthungary.hu | payload_delivery | 2026-05-25 | 100% |
| domain | qxyamp.itsmarthungary.hu | payload_delivery | 2026-05-25 | 100% |
| domain | itsmarthungary.hu | payload_delivery | 2026-05-25 | 100% |
| domain | 3k3qw9fd.system-forge.digital | payload_delivery | 2026-05-25 | 100% |
| domain | 42ef9q7x.system-forge.digital | payload_delivery | 2026-05-25 | 100% |
| domain | vdbkti.ispilates.hu | payload_delivery | 2026-05-25 | 100% |
| domain | dogqal.ispilates.hu | payload_delivery | 2026-05-25 | 100% |
| domain | fgyfhb.iparivillanyszerelo.hu | payload_delivery | 2026-05-25 | 100% |
| domain | oeclat.iparivillanyszerelo.hu | payload_delivery | 2026-05-25 | 100% |
| domain | gqsgdt.interimpro.hu | payload_delivery | 2026-05-25 | 100% |
| domain | cymctm.interimpro.hu | payload_delivery | 2026-05-25 | 100% |
| domain | rosrcf.inoxsystem.hu | payload_delivery | 2026-05-25 | 100% |
| domain | mprgta.inoxsystem.hu | payload_delivery | 2026-05-25 | 100% |
| domain | vzjahpug.telemetry-sphere.digital | payload_delivery | 2026-05-25 | 100% |
| domain | 7f2utlvn.telemetry-sphere.digital | payload_delivery | 2026-05-25 | 100% |
| domain | dacfsh.indebud.hu | payload_delivery | 2026-05-25 | 100% |
| domain | blaold.indebud.hu | payload_delivery | 2026-05-25 | 100% |
| domain | indebud.hu | payload_delivery | 2026-05-25 | 100% |
| domain | kzaftq.hyflowtp.com | payload_delivery | 2026-05-25 | 100% |
| domain | rgaxgg.hyflowtp.com | payload_delivery | 2026-05-25 | 100% |
| domain | xredgj.holisztikuscsontkovacs.hu | payload_delivery | 2026-05-25 | 100% |
| domain | gnuvtk.holisztikuscsontkovacs.hu | payload_delivery | 2026-05-25 | 100% |
| domain | torrrj.highlife-global.com | payload_delivery | 2026-05-25 | 100% |
| domain | xrwunf.highlife-global.com | payload_delivery | 2026-05-25 | 100% |
| domain | fiwmth.gyorsanhaz.hu | payload_delivery | 2026-05-25 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["kferlw.itsmarthungary.hu", "qxyamp.itsmarthungary.hu", "itsmarthungary.hu", "3k3qw9fd.system-forge.digital", "42ef9q7x.system-forge.digital", "vdbkti.ispilates.hu", "dogqal.ispilates.hu", "fgyfhb.iparivillanyszerelo.hu", "oeclat.iparivillanyszerelo.hu", "gqsgdt.interimpro.hu", "cymctm.interimpro.hu", "rosrcf.inoxsystem.hu", "mprgta.inoxsystem.hu", "vzjahpug.telemetry-sphere.digital", "7f2utlvn.telemetry-sphere.digital", "dacfsh.indebud.hu", "blaold.indebud.hu", "indebud.hu", "kzaftq.hyflowtp.com", "rgaxgg.hyflowtp.com", "xredgj.holisztikuscsontkovacs.hu", "gnuvtk.holisztikuscsontkovacs.hu", "torrrj.highlife-global.com", "xrwunf.highlife-global.com", "fiwmth.gyorsanhaz.hu", "kdksfm.gyorsanhaz.hu", "n9bv1oq5.proxy-orbit.digital", "c56qm35r.proxy-orbit.digital", "foqovv.h13lakopark.hu", "juuaxu.h13lakopark.hu", "rqwanh.gyulaicsevego.hu", "uwyaac.gyulaicsevego.hu", "ykdeqf.gyorsotthont.hu", "mjurmy.gyorsotthont.hu", "rlaa5uje.stack-frontier.digital", "stack-frontier.digital", "5bvcnkto.stack-frontier.digital", "usoiuv.gyorsanhaz.hu", "kncqqq.gyorsanhaz.hu", "vgkjld.gulyaskriszti.hu", "nvxgxz.gulyaskriszti.hu", "fayzcm.greenwaysolar.hu", "zbzldh.greenwaysolar.hu", "greenwaysolar.hu", "hatvtf.globalcontact.hu", "uzrekc.globalcontact.hu", "nwjlgv.glfree.hu", "gcrexj.glfree.hu", "glfree.hu", "bzngye4l.proxy-orbit.digital"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update service includes a file that matches one of the ClearFake IOCs.
Filter/Exclusion: Check the file_name field for known Windows Update files (e.g., WindowsUpdate.exe, wuaueng.exe) and exclude any file paths containing C:\Windows\ or C:\Windows\System32\.
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a log collection script that uses a tool like logparser.exe or PowerShell to gather logs, which may include a file path or command that matches an IOC.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler (Task Scheduler or schtasks.exe) and filter out any file paths containing C:\Windows\System32\ or C:\Windows\Temp\.
Scenario: Admin Task for Software Deployment
Description: An administrator uses a tool like Microsoft Endpoint Manager or Group Policy to deploy software, which may include a file or command that matches an IOC.
Filter/Exclusion: Filter out processes initiated by msiexec.exe, gpupdate.exe, or microsoft-edge.exe, and exclude any file paths that match known deployment directories (e.g., C:\Windows\Temp\, C:\Program Files\).
Scenario: Legitimate Use of PowerShell for Configuration Management
Description: A PowerShell script used for configuration management (e.g., PSConfig.exe, ConfigurationManager) includes a command or file path that matches an IOC.
Filter/Exclusion: Exclude any PowerShell processes initiated by powershell.exe with a known configuration management tool or script path (e.g., `C:\Windows\System32\Windows