The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to data exfiltration or system compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 70 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | geirvzju.betxane.com | payload_delivery | 2026-06-12 | 100% |
| domain | xipuryqj.betwanna.com | payload_delivery | 2026-06-12 | 100% |
| domain | ukpoojmk.shansbartar.bet | payload_delivery | 2026-06-12 | 100% |
| domain | wumyhfj.livebetkade.com | payload_delivery | 2026-06-12 | 100% |
| domain | 9w0va69z.shansbartar.bet | payload_delivery | 2026-06-12 | 100% |
| domain | 4y04a82z.hattrickbetkade.com | payload_delivery | 2026-06-12 | 100% |
| domain | raqmk.mururhesabdari.xyz | payload_delivery | 2026-06-12 | 100% |
| domain | hqqacfwe.betforwardkade.com | payload_delivery | 2026-06-12 | 100% |
| domain | k96h8q0b.fubet24.net | payload_delivery | 2026-06-12 | 100% |
| domain | 8gl6eqnn.fubet24.net | payload_delivery | 2026-06-12 | 100% |
| domain | yzqzbtkr.betfidokade.com | payload_delivery | 2026-06-12 | 100% |
| domain | koiffqfm.enfejarkade.online | payload_delivery | 2026-06-12 | 100% |
| domain | dxxxyoqr.bet313.org | payload_delivery | 2026-06-12 | 100% |
| domain | llfarlit.bet120x.net | payload_delivery | 2026-06-12 | 100% |
| domain | vidsloii.bcgamekade.online | payload_delivery | 2026-06-12 | 100% |
| domain | g1zevlqh.casinokade.online | payload_delivery | 2026-06-12 | 100% |
| domain | 17tx25qi.casinokade.online | payload_delivery | 2026-06-12 | 100% |
| domain | whitfkos.ace9bet.net | payload_delivery | 2026-06-12 | 100% |
| domain | oywlk.motorbook.xyz | payload_delivery | 2026-06-12 | 100% |
| domain | 9np2x3by.bordestan.com | payload_delivery | 2026-06-12 | 100% |
| domain | dtphi824.akhbarsport.info | payload_delivery | 2026-06-12 | 100% |
| domain | rngvl.bilyardkade.online | payload_delivery | 2026-06-12 | 100% |
| domain | burreepr.ace90betkade.com | payload_delivery | 2026-06-12 | 100% |
| domain | euerx2bw.linebetkade.com | payload_delivery | 2026-06-12 | 100% |
| domain | wnwrwqfz[.]4030bet.app | payload_delivery | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["geirvzju.betxane.com", "xipuryqj.betwanna.com", "ukpoojmk.shansbartar.bet", "wumyhfj.livebetkade.com", "9w0va69z.shansbartar.bet", "4y04a82z.hattrickbetkade.com", "raqmk.mururhesabdari.xyz", "hqqacfwe.betforwardkade.com", "k96h8q0b.fubet24.net", "8gl6eqnn.fubet24.net", "yzqzbtkr.betfidokade.com", "koiffqfm.enfejarkade.online", "dxxxyoqr.bet313.org", "llfarlit.bet120x.net", "vidsloii.bcgamekade.online", "g1zevlqh.casinokade.online", "17tx25qi.casinokade.online", "whitfkos.ace9bet.net", "oywlk.motorbook.xyz", "9np2x3by.bordestan.com", "dtphi824.akhbarsport.info", "rngvl.bilyardkade.online", "burreepr.ace90betkade.com", "euerx2bw.linebetkade.com", "wnwrwqfz.4030bet.app", "nylmc.hotbetkade.com", "tngbqcwl.22betkade.online", "gzcgy.hiwino.net", "cxdba2b3.zabanmemari.shop", "ddk5uk7m.zabanmemari.shop", "htftvttj.1xyek.net", "twhjk.hazaratkade.com", "eqnenkch.zabanhaggani.shop", "hodomoxq.1xborokade.com", "ygfnk.darsnamejame.xyz", "emqlb.tahlilsazeha.xyz", "zjfxfoev.1xbitkade.com", "ljist.sanjeshvaandazegiri.shop", "ktokj.sanjeshvaandazegiri.shop", "vspdk.tahgigbazargan.xyz", "rizvw.sanjeshravani.shop", "keofm.sanjeshravani.shop", "g29aiuih.zabanenglishanari.xyz", "28ri3ljq.zabanenglishanari.xyz", "jsyao.tafsirquran.xyz", "eejgo.sakhtemandade.shop", "mpgfy.sakhtemandade.shop", "ydcgvobr.tarbiatbadani.xyz", "fuwtp.tafsirnasiri.xyz", "uss6wss6.hesabdarieskandari.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Filter/Exclusion: Exclude processes related to ClearFake during scheduled system updates (e.g., task scheduler job named Update-System-7am with ClearFake.exe as the executable).
Scenario: Admin task using ClearFake for internal testing or sandboxing
Filter/Exclusion: Exclude processes initiated by the Administrators group with a command line containing --sandbox or --test-mode.
Scenario: Scheduled job for log analysis using ClearFake
Filter/Exclusion: Exclude processes running under LogAnalysisService or LogParser.exe that are part of the enterprise log management system (e.g., Splunk or ELK).
Scenario: Security tool using ClearFake for threat intelligence lookup
Filter/Exclusion: Exclude processes initiated by ThreatIntelService or ThreatFox.exe with a command line containing --lookup or --query.
Scenario: User-initiated file scan using ClearFake for malware detection
Filter/Exclusion: Exclude processes initiated by MalwareScan.exe or VirusTotal.exe with a command line containing --scan or --file.