The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake malware, which is known for distributing malicious payloads through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or lateral movement within the network.
IOC Summary
Malware Family: ClearFake Total IOCs: 103 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | atom1-span.nov3liren.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | emidb.kymle1rax.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | geo-1c3.kymle1rax.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | veltide4a.kymle1rax.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | thick8-signal.kymle1rax.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | neo-cornput.to9varon.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | bytefore.to9varon.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | server-scar.to9varon.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | hdf358xa.sylo6mer.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | amber-mon.sylo6mer.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | gentl-snow.sylo6mer.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | vorlithen4.sylo6mer.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | sernexor8.rax4pavel.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | forrn7-panel.rax4pavel.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | jkdraj.rax4pavel.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | vellithal3.rax4pavel.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | dyn-tideis.zex8liron.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | ultra-f1rmvva.zex8liron.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | sub-n3uron.zex8liron.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | kkdho.zex8liron.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | vorcrestix.zex8liron.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | 72z5.zex8liron.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | ollowgl.qiv2moren.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | motif4-vector.qiv2moren.in.net | payload_delivery | 2026-04-25 | 100% |
| domain | gf2rfd.qiv2moren.in.net | payload_delivery | 2026-04-25 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["atom1-span.nov3liren.in.net", "emidb.kymle1rax.in.net", "geo-1c3.kymle1rax.in.net", "veltide4a.kymle1rax.in.net", "thick8-signal.kymle1rax.in.net", "neo-cornput.to9varon.in.net", "bytefore.to9varon.in.net", "server-scar.to9varon.in.net", "hdf358xa.sylo6mer.in.net", "amber-mon.sylo6mer.in.net", "gentl-snow.sylo6mer.in.net", "vorlithen4.sylo6mer.in.net", "sernexor8.rax4pavel.in.net", "forrn7-panel.rax4pavel.in.net", "jkdraj.rax4pavel.in.net", "vellithal3.rax4pavel.in.net", "dyn-tideis.zex8liron.in.net", "ultra-f1rmvva.zex8liron.in.net", "sub-n3uron.zex8liron.in.net", "kkdho.zex8liron.in.net", "vorcrestix.zex8liron.in.net", "72z5.zex8liron.in.net", "ollowgl.qiv2moren.in.net", "motif4-vector.qiv2moren.in.net", "gf2rfd.qiv2moren.in.net", "7fsk.bexla9rin.in.net", "echoloa.bexla9rin.in.net", "theormot.bexla9rin.in.net", "vorforge7al.bexla9rin.in.net", "proto-str34m.dex3lavan.in.net", "norspireos3.dex3lavan.in.net", "tracesound.dex3lavan.in.net", "segmentash.dex3lavan.in.net", "growthcircui.miv7sorel.in.net", "surv3y7-plate.miv7sorel.in.net", "bark-line.miv7sorel.in.net", "basicret.miv7sorel.in.net", "tri-fluxa.miv7sorel.in.net", "solafirmw.miv7sorel.in.net", "dffer.excavat-toponym.in.net", "fast-land-9c.excavat-toponym.in.net", "zeit-1.excavat-toponym.in.net", "open-3.caissonnarc0m.in.net", "petit-berg-5p.caissonnarc0m.in.net", "rouge-6.caissonnarc0m.in.net", "haus-1.cicada-tkacki.in.net", "bleu-4.cicada-tkacki.in.net", "kalt-wald-8.cicada-tkacki.in.net", "fast-zeit-5k.cicada-tkacki.in.net", "open-9.slanikt7ay.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that imports a CSV file containing benign IP addresses for network monitoring.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with the command line containing Import-Csv or Import-CSV.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a penetration test, which includes traffic to known malicious IPs associated with ClearFake.
Filter/Exclusion: Exclude processes running under the wireshark.exe process name or with the command line containing --capture or --read.
Scenario: A DevOps team is deploying a Docker container that includes a dependency on a third-party library, which is flagged as an IOC due to its association with ClearFake.
Filter/Exclusion: Exclude processes related to docker or dockerd and filter out package dependencies from known safe repositories like Docker Hub or npm.
Scenario: A system update is being applied via Group Policy that includes a script referencing a benign IP address used for internal DNS resolution.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or with the command line containing gpupdate /force or Group Policy.
Scenario: A backup job using Veeam Backup & Replication is configured to transfer files to a remote server, and the destination IP is mistakenly flagged as an IOC.
Filter/Exclusion: Exclude processes initiated by veeam.exe or with the command line containing backup or replication.