Adversaries may be using ClearFake IOCs to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate potential advanced persistent threats leveraging known malicious infrastructure.
IOC Summary
Malware Family: ClearFake Total IOCs: 86 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | igyom.technologiaiviz.hu | payload_delivery | 2026-05-28 | 100% |
| domain | vuhmb.technologiaiviz.hu | payload_delivery | 2026-05-28 | 100% |
| domain | uswai.vikstore.hu | payload_delivery | 2026-05-28 | 100% |
| domain | ujghw.vikstore.hu | payload_delivery | 2026-05-28 | 100% |
| domain | mrlls.aileadfactory.com | payload_delivery | 2026-05-28 | 100% |
| domain | mldmb.aileadfactory.com | payload_delivery | 2026-05-28 | 100% |
| domain | 9mb8413h.pleasuredome.hu | payload_delivery | 2026-05-28 | 100% |
| domain | cajya.addmagad.com | payload_delivery | 2026-05-28 | 100% |
| domain | hzuib.addmagad.com | payload_delivery | 2026-05-28 | 100% |
| domain | snonc.accredit.hu | payload_delivery | 2026-05-28 | 100% |
| domain | exqrm.accredit.hu | payload_delivery | 2026-05-28 | 100% |
| domain | dkhgk.zaszlorudbolt.hu | payload_delivery | 2026-05-28 | 100% |
| domain | cavbp.zaszlorudbolt.hu | payload_delivery | 2026-05-28 | 100% |
| domain | ibauh.yanis.hu | payload_delivery | 2026-05-28 | 100% |
| domain | vggil.yanis.hu | payload_delivery | 2026-05-28 | 100% |
| domain | xawur.workoutwithdorci.com | payload_delivery | 2026-05-28 | 100% |
| domain | fndif.workoutwithdorci.com | payload_delivery | 2026-05-28 | 100% |
| domain | 2vmkhs7s.riherino.com | payload_delivery | 2026-05-28 | 100% |
| domain | yrx2llns.riherino.com | payload_delivery | 2026-05-28 | 100% |
| domain | afnsw.wlwyb.com | payload_delivery | 2026-05-28 | 100% |
| domain | jekky.wlwyb.com | payload_delivery | 2026-05-28 | 100% |
| domain | g6zaqd6k.schleer.hu | payload_delivery | 2026-05-28 | 100% |
| domain | rgeouiqb.schleer.hu | payload_delivery | 2026-05-28 | 100% |
| domain | miixn.wilhelmglobal.com | payload_delivery | 2026-05-28 | 100% |
| domain | zyuhz.wilhelmglobal.com | payload_delivery | 2026-05-28 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["igyom.technologiaiviz.hu", "vuhmb.technologiaiviz.hu", "uswai.vikstore.hu", "ujghw.vikstore.hu", "mrlls.aileadfactory.com", "mldmb.aileadfactory.com", "9mb8413h.pleasuredome.hu", "cajya.addmagad.com", "hzuib.addmagad.com", "snonc.accredit.hu", "exqrm.accredit.hu", "dkhgk.zaszlorudbolt.hu", "cavbp.zaszlorudbolt.hu", "ibauh.yanis.hu", "vggil.yanis.hu", "xawur.workoutwithdorci.com", "fndif.workoutwithdorci.com", "2vmkhs7s.riherino.com", "yrx2llns.riherino.com", "afnsw.wlwyb.com", "jekky.wlwyb.com", "g6zaqd6k.schleer.hu", "rgeouiqb.schleer.hu", "miixn.wilhelmglobal.com", "zyuhz.wilhelmglobal.com", "yjkjr.westinvesteuropa.hu", "skhoh.westinvesteuropa.hu", "hwujn.welovevent.com", "mdbia.welovevent.com", "elsms.webgondozas.hu", "gctlg.webgondozas.hu", "siase.webermann.hu", "vvvbk.webermann.hu", "2718gc20.seresniki.com", "qfk3l7gj.seresniki.com", "roesn.vrtigo.hu", "dqgrg.vrtigo.hu", "gbhij.vilagom.hu", "bzqtp.vilagom.hu", "ycnvr.vikstore.hu", "fkfdb.vikstore.hu", "vorro.vigaf.hu", "pituf.vigaf.hu", "pyzoi.ceremoniavezeto.hu", "jneuc.ceremoniavezeto.hu", "7orku7ut.taxrundo.sk", "taxrundo.sk", "ooeet.cannaturalgroup.com", "vbpco.cannaturalgroup.com", "xosum.butoralberlet.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that matches one of the ClearFake IOCs.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job Running PowerShell Script
Description: A scheduled task runs a PowerShell script that uses a file or command matching a ClearFake IOC.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "schtasks.exe"
Scenario: Admin Task Using WMI for System Monitoring
Description: An administrative task uses WMI to query system information, which may trigger a ClearFake IOC.
Filter/Exclusion: process.name != "wmic.exe" or process.parent.name != "services.exe"
Scenario: Legitimate Software Installation via MSI
Description: A legitimate software installation package (MSI) contains a file or registry key that matches a ClearFake IOC.
Filter/Exclusion: process.name != "msiexec.exe" or process.parent.name != "explorer.exe"
Scenario: Network Discovery Tool Using Nmap
Description: A network discovery tool like Nmap is used to scan internal networks, which may trigger a ClearFake IOC.
Filter/Exclusion: process.name != "nmap.exe" or process.parent.name != "task scheduler"