The ThreatFox: ClearFake IOCs rule detects potential adversary activity associated with the ClearFake threat group, which is known for distributing malicious software through compromised websites and phishing campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to data exfiltration or system compromise.
IOC Summary
Malware Family: ClearFake Total IOCs: 78 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dkrxwehc.testpaye.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | bxzyp.daneshkhanevade.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | cucnczaq.testdrivepaye3.com | payload_delivery | 2026-06-15 | 100% |
| domain | oxfzzuaq.tasisathosseini.shop | payload_delivery | 2026-06-15 | 100% |
| domain | vwochim.megaparikade.com | payload_delivery | 2026-06-15 | 100% |
| domain | qqpidjr.megaparikade.com | payload_delivery | 2026-06-15 | 100% |
| domain | fcxkiekt.tasisathosseini.shop | payload_delivery | 2026-06-15 | 100% |
| domain | mjwougwp.tarikhravannovin.shop | payload_delivery | 2026-06-15 | 100% |
| domain | 0dt4r35j.gavaedfagahe.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | pbh3hti8.gavaedfagahe.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | amrwjltv.tarikhcheravanshenasi.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | onnzlkiy.shartbandi.games | payload_delivery | 2026-06-15 | 100% |
| domain | mukvsxft.sazebetonarme.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | lmgz1tb4.garatequran.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | fhprjdfj.sanjeshvaandazegiri.shop | payload_delivery | 2026-06-15 | 100% |
| domain | yqzbm.barnamenevisi.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | maryaxdn.sanjeshravani.shop | payload_delivery | 2026-06-15 | 100% |
| domain | fpsjq82d.shartbandifootballkade.online | payload_delivery | 2026-06-15 | 100% |
| domain | bcfrgjpx.sakhtemandade.shop | payload_delivery | 2026-06-15 | 100% |
| domain | vazqhwad.sadreislam.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | qilapvvt.ganuneasasi.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | 9zpx37x0.ganuneasasi.xyz | payload_delivery | 2026-06-15 | 100% |
| domain | ewa1b63u.fununetadris.shop | payload_delivery | 2026-06-15 | 100% |
| domain | utnoqzc.melbetkade.com | payload_delivery | 2026-06-15 | 100% |
| domain | pauheuld.questionsmotor.xyz | payload_delivery | 2026-06-15 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["dkrxwehc.testpaye.xyz", "bxzyp.daneshkhanevade.xyz", "cucnczaq.testdrivepaye3.com", "oxfzzuaq.tasisathosseini.shop", "vwochim.megaparikade.com", "qqpidjr.megaparikade.com", "fcxkiekt.tasisathosseini.shop", "mjwougwp.tarikhravannovin.shop", "0dt4r35j.gavaedfagahe.xyz", "pbh3hti8.gavaedfagahe.xyz", "amrwjltv.tarikhcheravanshenasi.xyz", "onnzlkiy.shartbandi.games", "mukvsxft.sazebetonarme.xyz", "lmgz1tb4.garatequran.xyz", "fhprjdfj.sanjeshvaandazegiri.shop", "yqzbm.barnamenevisi.xyz", "maryaxdn.sanjeshravani.shop", "fpsjq82d.shartbandifootballkade.online", "bcfrgjpx.sakhtemandade.shop", "vazqhwad.sadreislam.xyz", "qilapvvt.ganuneasasi.xyz", "9zpx37x0.ganuneasasi.xyz", "ewa1b63u.fununetadris.shop", "utnoqzc.melbetkade.com", "pauheuld.questionsmotor.xyz", "everztsi.maharatmodiran.xyz", "tblrdccw.mabanishimi.xyz", "543533s9.nagshekeshi.xyz", "tawej.bankefiile.com", "fkwiyfrv.leaguejazire.com", "384njud7.enfejarkade.online", "lvegwzzz.karbordriyaziyat.xyz", "lhpahogn.karafarini.shop", "sdppicy4.shansline.com", "qelljcx.megaparikade.com", "bgfwrtgo.jam-jahani.com", "q6ewl5b2.casinokade.online", "obuultev.casinokade.online", "twmpoxnh.hugugtejarat4.xyz", "cwpjgrng.hugugtatbigi.xyz", "l9oi6rwb.bordestan.com", "wxlfp.motorbook.xyz", "idcmamvr.hugugmadanikatouzian.xyz", "1fjx0agf.zabanmemari.shop", "ldbrrvwc.hugugmadani6.xyz", "v33c66mq.zabanhaggani.shop", "iyejvhz.shansbartar.bet", "rfvxpytm.psgnewsiran.com", "lgonmiq3.zabanenglishanari.xyz", "yxjsqrqv.vanatarsim.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ClearFake-related tools
Description: A system update process may include tools like ClearFake as part of a vendor’s maintenance package.
Filter/Exclusion: Exclude processes initiated by a known update manager (e.g., Windows Update, Chocolatey, or WSUS) or filter by process parent ID matching a trusted update service.
Scenario: Scheduled job running ClearFake for log analysis
Description: An enterprise may use ClearFake for log parsing or data normalization as part of a scheduled job (e.g., via Task Scheduler or cron).
Filter/Exclusion: Exclude processes with a command line containing --log-mode or --analyze flags, or filter by job name matching a known internal task (e.g., LogParserJob).
Scenario: Admin task using ClearFake for forensic analysis
Description: A security analyst may use ClearFake to analyze artifacts during an investigation, such as parsing memory dumps or forensic images.
Filter/Exclusion: Exclude processes with a user context matching a security team member (e.g., [email protected]) or filter by command line arguments indicating forensic mode (e.g., --forensic).
Scenario: ClearFake used in a legitimate threat intelligence tool
Description: The tool may be part of a threat intelligence platform (e.g., ThreatIntel, Mandiant, or CrowdStrike) that uses ClearFake for IOC normalization.
Filter/Exclusion: Exclude processes running under the context of a threat intelligence tool (e.g., ThreatIntelService.exe) or filter by parent process matching a known TIP (Threat Intelligence Platform) process.
Scenario: ClearFake used in a CI/CD pipeline for artifact validation
Description: A CI