Adversaries may use ClearFake IOCs to exfiltrate data or establish command and control channels, leveraging compromised infrastructure to maintain persistence. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential advanced persistent threats early.
IOC Summary
Malware Family: ClearFake Total IOCs: 77 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | rjhmik2i.kymle2rax.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | mossbra.kymle2rax.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | vinecarg.to9varil.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | rs9y.to9varil.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | qc3zfzu.to9varil.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | p4rse-forge.to9varil.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | processlis.to9varil.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | cl52qlla.to9varil.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | triggerdispatch.sylov4en.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | measu8-drive.sylov4en.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | clucrawl.sylov4en.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | hublistener.sylov4en.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | lgjov.sylov4en.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | adapt1-line.sylov4en.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | 5pru4-mark.ra6ximel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | jakej.ra6ximel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | b4nd-signal.ra6ximel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | velcrestar5.ra6ximel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | sunauth.ra6ximel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | ark-forgeon.ra6ximel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | azure-sharp[.]1zoravel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | c4st-layer[.]1zoravel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | alt-f1eet[.]1zoravel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | balcg[.]1zoravel.in.net | payload_delivery | 2026-04-24 | 100% |
| domain | p1a5-watch[.]1zoravel.in.net | payload_delivery | 2026-04-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["rjhmik2i.kymle2rax.in.net", "mossbra.kymle2rax.in.net", "vinecarg.to9varil.in.net", "rs9y.to9varil.in.net", "qc3zfzu.to9varil.in.net", "p4rse-forge.to9varil.in.net", "processlis.to9varil.in.net", "cl52qlla.to9varil.in.net", "triggerdispatch.sylov4en.in.net", "measu8-drive.sylov4en.in.net", "clucrawl.sylov4en.in.net", "hublistener.sylov4en.in.net", "lgjov.sylov4en.in.net", "adapt1-line.sylov4en.in.net", "5pru4-mark.ra6ximel.in.net", "jakej.ra6ximel.in.net", "b4nd-signal.ra6ximel.in.net", "velcrestar5.ra6ximel.in.net", "sunauth.ra6ximel.in.net", "ark-forgeon.ra6ximel.in.net", "azure-sharp.1zoravel.in.net", "c4st-layer.1zoravel.in.net", "alt-f1eet.1zoravel.in.net", "balcg.1zoravel.in.net", "p1a5-watch.1zoravel.in.net", "sku4jn.1zoravel.in.net", "fast-7k.inject-mitroph.in.net", "noir-land-3.inject-mitroph.in.net", "soft-1.inject-mitroph.in.net", "wald-baum-6w.inject-mitroph.in.net", "rouge-4.inject-mitroph.in.net", "iron-zeit-8.inject-mitroph.in.net", "berg-5x.dometo1ochy.in.net", "petit-mond-1.dometo1ochy.in.net", "kalt-9.dometo1ochy.in.net", "open-haus-4.dometo1ochy.in.net", "bleu-7.dometo1ochy.in.net", "wind-3p.dometo1ochy.in.net", "gold-2.jazz-password.in.net", "noir-land-5.jazz-password.in.net", "fast-3v.jazz-password.in.net", "dark-star-6.jazz-password.in.net", "zeit-4k.jazz-password.in.net", "blue-holz-8.jazz-password.in.net", "haus-5.geor8eharvest.in.net", "petit-berg-1.geor8eharvest.in.net", "rouge-7v.geor8eharvest.in.net", "soft-wald-2.geor8eharvest.in.net", "vert-4.geor8eharvest.in.net", "cold-9q.geor8eharvest.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update is being installed using Chocolatey, which may include packages with names similar to known malicious IOCs.
Filter/Exclusion: Check for process.name containing choco or chocolatey and exclude any package installation events related to known trusted packages (e.g., 7zip, nginx, git).
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task is running a log rotation script that uses a tool like logrotate or rsyslog, which may have filenames or paths that match known IOCs.
Filter/Exclusion: Filter by process.name containing logrotate or rsyslog, and exclude any events where the file path contains /var/log/ or /etc/logrotate.d/.
Scenario: Admin Task for Software Deployment
Description: An administrator is deploying a legitimate software package using a tool like PowerShell or Group Policy, which may have command-line arguments or file paths that match IOCs.
Filter/Exclusion: Filter by process.name containing powershell.exe or gpupdate.exe, and exclude any events where the command line includes known deployment tools (e.g., msiexec, setup.exe).
Scenario: Network Monitoring Tool Generating Alerts
Description: A network monitoring tool like Wireshark or tcpdump is capturing traffic and generating alerts that may be misinterpreted as malicious activity.
Filter/Exclusion: Filter by process.name containing wireshark or tcpdump, and exclude any events where the source or destination IP is known to be part of the internal network.
Scenario: Antivirus or EDR Tool Scanning for Malware
*